Back to skill
Skillv1.0.2
VirusTotal security
T.LY URL Shortener · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:35 AM
- Hash
- 657b58618cc5ddfac4fe092f0dac5e5f3591f6d5b9190f99048ca9313a565eb1
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: tly Version: 1.0.2 The skill is classified as suspicious due to a shell injection vulnerability in the fallback `curl` command within `SKILL.md`, where the `TLY_API_TOKEN` environment variable is expanded in a way that allows command execution. Additionally, the instructions strongly encourage the installation of a specific PyPI package (`tly-url-shortener-api`) labeled as 'official,' which could serve as a vector for a supply-chain attack if the package is not legitimately maintained by the service provider. While the skill includes some security guardrails regarding secret handling, these implementation flaws and the reliance on unverified external code pose a risk to the host environment.
- External report
- View on VirusTotal