Back to skill
Skillv1.0.0
VirusTotal security
Task Orchestra · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:25 AM
- Hash
- 124ebb4035061ae353a375a18e2f02ad8a67ff604469799f4cdd779c9adf47a0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: task-orchestra Version: 1.0.0 The skill 'task-orchestra' is classified as suspicious due to its powerful capabilities that, while aligned with its stated purpose of agent orchestration, present significant security risks. It requires access to `curl` and `jq` (enabling network and shell command execution) and the `BRAVE_API_KEY` environment variable (access to a secret). Crucially, the skill instructs the agent on how to spawn, steer, and kill subagents (`sessions_spawn`, `sessions_send`, `subagents kill`, `subagents steer`), which are powerful primitives that could be leveraged for unauthorized actions or data exfiltration if the agent receives malicious prompts. While there are no explicit instructions for malicious behavior within the `SKILL.md` itself, the combination of broad permissions and powerful execution capabilities makes it a high-risk component.
- External report
- View on VirusTotal