Back to skill
Skillv1.0.0
VirusTotal security
mobile app builder with live link, publishes to app store, create ai apps · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:20 AM
- Hash
- 961397c19ef551f489fc335ccf1e3418edb38264f7d9903a1d113510306f0f33
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: mobile-app-builder-ai Version: 1.0.0 The skill is classified as suspicious due to multiple critical vulnerabilities. The `SKILL.md` instructions pose a prompt injection risk, as they direct the OpenClaw agent to execute `node` commands with user-controlled input (e.g., `<description>`, `<change request>`) directly interpolated, potentially leading to shell injection against the agent's host. Additionally, the `scripts/launchpulse.cjs` script contains a Local File Inclusion (LFI) vulnerability, where user-supplied file paths for `--payload-file`, `--vars-file`, and `--contact-file` are read directly using `fs.readFileSync`, allowing arbitrary file access on the agent's system. The `db query` command also passes raw user SQL to the backend API, creating a potential SQL injection vulnerability in the overall system. While these are severe flaws, there is no clear evidence of intentional malicious behavior (e.g., exfiltration to an attacker-controlled domain, persistence mechanisms) within the provided files, indicating they are likely vulnerabilities rather than deliberate malware.
- External report
- View on VirusTotal