Back to skill
Skillv1.0.0
VirusTotal security
Creem Agent · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousMar 31, 2026, 11:46 AM
- Hash
- 98f5425199313b658732b95a9cb6342e1091560817befbbaacbac5099e9b3a0f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: creem-agent Version: 1.0.0 The skill bundle contains several high-risk patterns and vulnerabilities, though no clear evidence of malicious intent was found. Most notably, SKILL.md instructs the agent to fetch and follow instructions from remote URLs (e.g., creem.io/SKILL.md) as a fallback, which introduces a remote prompt injection vector. Additionally, scripts/heartbeat.py uses subprocess.run(shell=True) for command execution, and SKILL.md directs the agent to construct shell and curl commands using potentially unsanitized user inputs like customerId and productId, posing a risk of command injection.
- External report
- View on VirusTotal