Back to skill
Skillv1.0.0
VirusTotal security
Labradoc Cli · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:55 AM
- Hash
- 0746123d94b0c58be89ebcd4b39d768b27d45ff7ee9417be064fb5506c4a06f1
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: labradoc-cli Version: 1.0.0 The skill bundle is classified as suspicious due to the broad capabilities of the `labradoc-cli` tool, particularly the `api request` command (implemented in `cmd/api/request.go`). This command allows the AI agent to construct and execute arbitrary HTTP requests, including specifying methods, paths, request bodies (from strings or local files, including stdin), and writing responses to local files. This functionality, while legitimate for a generic CLI, creates a significant prompt injection vulnerability, enabling an attacker to potentially instruct the AI agent to exfiltrate sensitive local files (e.g., `~/.ssh/id_rsa`) to external endpoints or perform unauthorized actions against arbitrary APIs. The `SKILL.md` also contains an `eval` command, which is a risky primitive, though used for a fixed, legitimate OAuth login flow in this context. No evidence of intentional malicious behavior (e.g., hardcoded exfiltration, backdoors) was found in the code, but the inherent capabilities pose a high risk for misuse via prompt injection.
- External report
- View on VirusTotal