Back to skill
Skillv0.1.0
VirusTotal security
Skill Manager · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:37 AM
- Hash
- cc389c7624863aec29eb7a1f58f996e5e014653a7f3a5bc69ae30c7173e193f0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skill-manager-2 Version: 0.1.0 The SKILL.md file contains instructions for installing other OpenClaw skills using shell commands like `npm install -g` and `git clone`. While the stated purpose of a 'skill-manager' is legitimate, these commands, if executed by an AI agent without proper input sanitization or sandboxing, introduce a significant Remote Code Execution (RCE) vulnerability. An attacker could potentially leverage this by instructing the agent to install malicious npm packages (e.g., via typosquatting) or clone malicious GitHub repositories. However, there is no direct evidence of intentional malicious behavior within this specific skill bundle (e.g., no hardcoded malicious URLs, no exfiltration attempts, no obfuscation), classifying it as suspicious due to the inherent RCE risk rather than outright malicious intent.
- External report
- View on VirusTotal