Back to skill
Skillv1.0.0
VirusTotal security
Vanzhangsh Skills · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:00 AM
- Hash
- bf0ee4a79cc6a975137cf11cc9efba437f96d3614e8ea63c8f4945d50e68be6c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: vanzhangsh-skills Version: 1.0.0 The skill is classified as suspicious due to the broad `allowed-tools: Bash(agent-browser:*)` permission in `SKILL.md`, which grants the AI agent full control over the powerful `agent-browser` CLI. This tool exposes high-risk capabilities such as arbitrary JavaScript execution (`agent-browser eval`), direct access to browser cookies and local storage (`agent-browser cookies`, `agent-browser storage`), and the ability to save the entire browser session state to a local file (`agent-browser state save auth.json`). While these are legitimate features for browser automation, their unrestricted exposure makes the agent highly vulnerable to prompt injection, allowing an attacker to instruct the agent to exfiltrate sensitive browser data, execute arbitrary code within the browser context, or perform unauthorized actions.
- External report
- View on VirusTotal