Back to skill
Skillv0.1.0
VirusTotal security
Flowise · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:45 AM
- Hash
- 19e4fca6155f276bc8d9ea6badf5492448b19278238c56140d5c9da7b56a8236
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: openclaw-flowise-skill Version: 0.1.0 The `SKILL.md` file instructs the AI agent to interact with a Flowise API, explicitly detailing a `form` object with a `script` parameter described as '要执行的脚本' (script to be executed). The agent is instructed to pass user-controlled input to this `script` parameter. Given the suggested default Flowise server URL of `http://localhost:3000`, a malicious prompt could instruct the agent to send a harmful script to the local Flowise instance, potentially leading to arbitrary code execution on the agent's host. This constitutes a significant prompt injection vulnerability against the agent, leveraging a potential RCE in the Flowise API, rather than direct malicious code within the skill bundle itself.
- External report
- View on VirusTotal