Back to skill
Skillv0.1.0
VirusTotal security
Command Creator · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:45 AM
- Hash
- 6e231ad525fdcc9cc31175c581fefb10b5a228c3c0de6c97a9978c4e2c134fb5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: command-creator Version: 0.1.0 The 'command-creator' skill is designed to generate new OpenClaw slash commands (executable markdown files) based on user input. This core functionality, detailed in `SKILL.md`, presents a significant prompt injection vulnerability: a malicious user could instruct the agent to create a command containing harmful shell commands or other agent instructions. While the skill itself does not exhibit malicious intent (e.g., no direct data exfiltration or backdoor installation), its ability to generate executable content, perform file system operations (`mkdir -p`, writing files), execute shell commands (`git rev-parse`), and potentially invoke subagents, makes it a high-risk tool that could be exploited to achieve arbitrary code execution or other unauthorized actions when the generated command is subsequently run. The `README.md` also points to an `npx add` installation method, which introduces a supply chain risk.
- External report
- View on VirusTotal