Skillv1.0.0

VirusTotal security

News Aggregator Skill 0.1.0 · External malware reputation and Code Insight signals for this exact artifact hash.

ReviewMay 1, 2026, 4:21 AM

Hash: 657f9b61f15bcf457908d960801d0fb29c34aeced777874608833230a178d246
Source: palm
Verdict: suspicious
Code Insight: Type: OpenClaw Skill Name: news-aggregator-skill-0-1-0 Version: 1.0.0 The skill is classified as suspicious due to the presence of prompt injection instructions within `SKILL.md` that direct the AI agent to modify user input (e.g., 'CRITICAL: You MUST automatically expand the user's simple keywords...'). While the stated intent is to enhance search functionality, this capability could be exploited if the expansion logic were flawed or if the agent were instructed to expand into malicious commands. Additionally, the skill performs extensive web scraping from external sources (`scripts/fetch_news.py`) and processes untrusted content, including fetching full article text (`--deep` flag). Although the script includes basic sanitization (removing script/style tags, truncating content, URL validation), the inherent risks of processing arbitrary external data and the agent's interpretation of its own instructions (e.g., file writing to `reports/`) introduce potential vulnerabilities that could lead to unintended actions or RCE if exploited, even without clear evidence of intentional malicious design.
External report: View on VirusTotal