Back to skill
Skillv1.1.1
VirusTotal security
Ucm · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:04 AM
- Hash
- f21cfb8786b001097637788e4e51ede171a872ea6e1132d3bc9a78809c79ce6d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ucm Version: 1.1.1 The skill bundle is classified as suspicious due to its explicit provision of high-risk capabilities, notably `ucm/code-sandbox` for executing arbitrary code (Python/JS/Bash/R/Java) in a sandboxed environment, `ucm/web-scrape` for extracting webpage content, and `ucm/email` for sending emails. While these services are documented as part of the skill's purpose as an API marketplace, they introduce significant vulnerability surfaces. Misuse by an AI agent (e.g., via prompt injection) or vulnerabilities in the underlying sandbox could lead to arbitrary code execution, sensitive data exfiltration, or unauthorized communication. The `scripts/register.sh` includes input sanitization for JSON payloads, mitigating direct shell injection for those specific inputs, and the `SKILL.md` does not contain hidden malicious prompt injection directives. However, the inherent power and potential for misuse of the exposed services warrant a 'suspicious' classification rather than 'benign'.
- External report
- View on VirusTotal