Back to skill
Skillv0.1.0
VirusTotal security
Mcp Builder test · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:50 AM
- Hash
- b159b1f49cd0374777e4188c9f7c1fa67053f9db8cf94fa279e48f2fd195273c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: unique-mcp-builder-test Version: 0.1.0 The skill bundle is classified as suspicious due to significant Remote Code Execution (RCE) and Server-Side Request Forgery (SSRF) vulnerabilities present in `scripts/evaluation.py` and `scripts/connections.py`. The `evaluation.py` script is designed to execute arbitrary commands and make network requests to user-specified targets (via command-line arguments like `--command` and `--url`) for evaluating MCP servers. While this functionality is intended for evaluation, it poses a critical risk if the script is run with untrusted inputs. Additionally, `SKILL.md` instructs the AI agent to use `WebFetch` to load documentation from `raw.githubusercontent.com` and generally use 'web search and WebFetch as needed,' introducing a supply chain risk. There is no clear evidence of intentional malicious behavior within the skill bundle itself, such as data exfiltration or backdoor installation.
- External report
- View on VirusTotal