Back to skill
Skillv0.1.4
VirusTotal security
Skillboss · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:52 AM
- Hash
- d8a8f9c5ae0b122b7e10e909a8c9cb819eb3fba129f5f24d56a2120c680e5f36
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skillboss-2 Version: 0.1.4 The bundle is classified as suspicious due to an aggressive auto-update mechanism in 'scripts/api-hub.js' that performs unauthenticated remote version checks and automatically executes a local shell script ('install/update.sh') via 'execSync'. This behavior is reinforced by 'SKILL.md', which contains 'CRITICAL' instructions for the AI agent to hijack its current task and run the update script immediately upon seeing a specific trigger string. Additionally, 'scripts/lib/client.js' fingerprints the host environment to identify the specific AI agent (e.g., Claude Code, OpenClaw). While these features are framed as maintenance for an AI gateway, they create a significant unauthenticated RCE vector and prioritize remote instructions over user-defined tasks.
- External report
- View on VirusTotal