Back to skill
Skillv3.2.0
VirusTotal security
gap-year-travel · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 24, 2026, 8:31 AM
- Hash
- 4ecc1ec12df43bc95651a0a70004e9752cab7ae0533ea0dfe6d7652aa0417083
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: gap-year-travel Version: 3.2.0 The skill bundle requires the global installation of an external npm package (`@fly-ai/flyai-cli`) using `npm i -g` if the command is not found, which poses a significant risk of Remote Code Execution (RCE) and supply chain compromise. While the instructions in SKILL.md and references/fallbacks.md are aligned with the stated purpose of flight searching, the mandatory high-privilege installation of unverified third-party software is a high-risk behavior. No explicit evidence of malicious intent or data exfiltration was found within the provided logic.
- External report
- View on VirusTotal