Back to skill
Skillv0.1.1
VirusTotal security
Global Weather Service · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 28, 2026, 4:06 PM
- Hash
- 88884aac59f95d910eb9e9284d8526a514d19b37f6246a59be4396174c55d123
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: global-weather-service Version: 0.1.1 The skill provides global weather forecasts and a subscription service using Open-Meteo. However, `scripts/manage_weather_subscription.py` contains a prompt injection vulnerability where the user-provided `city` argument is embedded without sanitization into a command string (`python scripts\weather_report.py "{city}"`) that the AI agent is instructed to execute later via the `openclaw cron` system. While no evidence of intentional malice or data exfiltration was found, this architectural flaw allows for potential command injection or agent manipulation if a user provides a specially crafted city name.
- External report
- View on VirusTotal