Back to skill
Skillv1.3.0
VirusTotal security
skill-forge · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 25, 2026, 12:36 PM
- Hash
- 8877066be14b38a109ca02cdcf861d1b1bca342fdc2e3fa5f5e019f48c901084
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skill-forge-va Version: 1.3.0 The skill bundle provides a CLI tool ('skill-creator.js') for scaffolding, packaging, and managing OpenClaw skills, including features for wrapping existing binaries and installing system dependencies. It is classified as suspicious because it makes extensive use of 'child_process.execSync' to execute system commands (e.g., 'apt-get', 'brew', 'winget', 'xcopy', and PowerShell's 'Compress-Archive') using unsanitized string interpolation of user-provided arguments like 'skillName' and 'dependency'. This creates a high risk of shell injection and Remote Code Execution (RCE) if the AI agent is prompted to use malicious inputs. While the tool includes a 'detect-malware' command and its functionality aligns with its stated purpose, the lack of input validation for powerful system operations is a significant security flaw.
- External report
- View on VirusTotal