Back to skill
Skillv0.1.0
VirusTotal security
Deep Research · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:35 AM
- Hash
- 2452727c1797e33987cc2bdf8244b162645b9efd63dc740919bc387a12343157
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: deep-research-cli Version: 0.1.0 The skill bundle implements an autonomous multi-step research agent, but it contains high-risk execution patterns. Specifically, `scripts/search.sh` invokes the Gemini CLI using the `--approval-mode yolo` flag, which grants the agent full autonomy to execute tools (like web searching and fetching) without user confirmation. This creates a significant vulnerability to indirect prompt injection, where malicious content on a retrieved webpage could hijack the agent's execution flow. Additionally, the `SKILL.md` and `README.md` promote the use of `https://r.jina.ai/` as a fallback for web fetching, which involves transmitting potentially sensitive URLs to a third-party service.
- External report
- View on VirusTotal