Back to skill
Skillv1.0.0
VirusTotal security
tester_skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:10 AM
- Hash
- a992effd2e86f8da18e9805b7646b0a7520364fdeb7451abcc254bf253d5c607
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: tester Version: 1.0.0 The skill is classified as suspicious due to a significant prompt injection vulnerability pattern identified in `SKILL.md`. The `spawn_subagent` instruction demonstrates passing unsanitized, user-controlled data (GitHub issue `title` and `description`) directly into a sub-agent's `task` string. This allows an attacker to craft malicious issue content to potentially manipulate the sub-agent's behavior. Additionally, the instruction to `export GITHUB_TOKEN` highlights a sensitive secret management practice, which, while necessary for functionality, poses a risk if not handled securely by the agent or user.
- External report
- View on VirusTotal