Back to skill
Skillv3.2.0
VirusTotal security
fishing-trip · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 24, 2026, 8:11 AM
- Hash
- 0c88dfc8962b354c4902d1358cea2e9ef9e0466c686eca1cb2d290d9b08ebb90
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: fishing-trip Version: 3.2.0 The skill bundle contains instructions in SKILL.md and references/fallbacks.md that command the AI agent to perform a global system installation of an external NPM package (@fly-ai/flyai-cli) using 'npm i -g'. While this is presented as a prerequisite for the flight booking functionality, requiring the agent to install arbitrary third-party software globally is a high-risk behavior that could lead to supply chain attacks or remote code execution. Additionally, the instructions use aggressive prompt-injection techniques to force the agent to ignore its training data and exclusively use the external CLI tool.
- External report
- View on VirusTotal