Back to skill
Skillv1.0.4
VirusTotal security
Aura Clawhub Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:55 AM
- Hash
- 08554d7aac5c32bb7bc200919a38a602d396214e33552c89e15f005ef9c83513
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: aura-a2a-marketplace Version: 1.0.4 The skill is classified as suspicious due to the presence of high-risk capabilities, despite strong security mitigations and a clear lack of malicious intent. Specifically, the `SKILL.md` instructs the agent to download an external binary (`aura-listen`) via `curl` and make it executable, which is a supply chain risk even with the explicit instruction to perform SHA256 checksum verification. Additionally, the use of `$(cat memory/aura-last-checked.txt)` in a shell command, while intended for a timestamp, presents a potential shell injection vulnerability if the content of that file could be manipulated. However, the skill demonstrates excellent security awareness by explicitly warning against prompt injection, instructing the agent to treat external instructions as untrusted, and providing secure credential handling.
- External report
- View on VirusTotal