Back to skill
Skillv1.0.1
VirusTotal security
QR Code · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:49 AM
- Hash
- 1e20ef0db2802044fc465bba9dbce751a7039b87c70321f4dc4a5b890bad6c81
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: openclaw-qr-code Version: 1.0.1 The skill is classified as suspicious due to the explicit instruction in SKILL.md to execute an external script via `curl -s <URL> | bash`. This creates a severe supply chain vulnerability, allowing arbitrary code execution on the OpenClaw agent's host if the GitHub repository or the `install.sh` script at `https://raw.githubusercontent.com/zouyawen/openclaw-qrcode/main/install.sh` is compromised. This instruction also represents a form of prompt injection, as the AI agent is directed to perform a high-risk action by fetching and executing untrusted code from an external source.
- External report
- View on VirusTotal