Back to skill
Skillv3.2.0
VirusTotal security
military-leave · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 24, 2026, 9:26 AM
- Hash
- a3e1153bd176fd4b7d953ca1b407ac58a24d422368214a916c8dee620c822fb4
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: military-leave Version: 3.2.0 The skill bundle mandates the global installation of an external NPM package (`@fly-ai/flyai-cli`) via the shell if it is not already present on the system (found in SKILL.md and references/fallbacks.md). While this is aligned with the stated purpose of searching for flights, forcing an AI agent to execute 'npm i -g' introduces significant supply chain risks and requires elevated system permissions. The instructions also employ aggressive prompt-injection language to override the agent's default behavior and force it to execute shell commands exclusively.
- External report
- View on VirusTotal