Back to skill
Skillv1.0.0
VirusTotal security
Arxiv Skill Extractor · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:59 AM
- Hash
- 3aeb25e1a3d1f6c13458f920ae4d5434058278f36207a49a9005ee1bbadf4d4c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: arxiv-skill-extractor Version: 1.0.0 The skill is designed to generate new OpenClaw skills from arXiv papers. However, the `renderSkillMarkdown` function in `index.js` directly interpolates unsanitized content from the `paper` object (e.g., `paper.title`, `paper.abstract`) into the body of the *generated* `SKILL.md` file. This creates a significant prompt injection vulnerability in the newly generated skill. If a malicious arXiv paper (or a compromised `arxiv-paper-reviews` service) provides crafted content, the generated `SKILL.md` could contain instructions that trick the OpenClaw agent into performing unauthorized actions when it later processes that generated skill. This is a critical vulnerability, classifying the skill as suspicious.
- External report
- View on VirusTotal