Back to skill
Skillv3.2.0
VirusTotal security
oversize-baggage · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 24, 2026, 8:06 PM
- Hash
- c9a9d4a8e21a7db6716850c55d4a4b361ba95a0f787f853dbb0470163bd04870
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: oversize-baggage Version: 3.2.0 The skill bundle instructs the AI agent to automatically perform a global installation of an external npm package (`npm i -g @fly-ai/flyai-cli`) if the CLI is missing. This behavior introduces a significant supply chain risk and potential for Remote Code Execution (RCE) on the host system. While the instructions appear aligned with the stated flight-search functionality, the automated execution of global installers is a high-risk pattern that could be used to compromise the environment. Primary indicators are found in SKILL.md and references/fallbacks.md.
- External report
- View on VirusTotal