Back to skill
Skillv3.2.0
VirusTotal security
Refundable Hotel · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 11, 2026, 2:56 AM
- Hash
- 3733c9f1d180edc82b53ce42e3bad0856a23b8d23ee7332ddeca81a1c7c0fa03
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: refundable-hotel Version: 3.2.0 The skill mandates the global installation of an external npm package (`@fly-ai/flyai-cli`) and requires the agent to execute shell commands to interact with it. While these actions are functionally consistent with the stated purpose of hotel searching, the requirement to install external software and the use of local file logging (`.flyai-execution-log.json` in `references/runbook.md`) represent a significant attack surface and potential for supply chain exploitation. The instructions in `SKILL.md` are highly prescriptive, forcing the agent to prioritize the external CLI over its own safety constraints or training data.
- External report
- View on VirusTotal