Back to skill
Skillv0.1.7
VirusTotal security
M2M Classified Ads · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:11 AM
- Hash
- a65bf6f22df5c653b640c729b679f00b1a01e540c4ddeb63739c3b9ca62b2680
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: m2m-ads Version: 0.1.7 The skill instructs the AI agent to perform a high-risk action: globally installing an external npm package (`m2m-ads@0.1.4`) via `npm install -g` as detailed in `SKILL.md`. This command downloads and executes arbitrary code from the internet with broad system permissions. Additionally, the `set-hook` command allows the agent to configure webhooks to arbitrary user-provided URLs, which, while a legitimate feature, presents a potential vector for data exfiltration if a malicious endpoint is specified. Although `SKILL.md` includes explicit security warnings and verification steps, the inherent risks of executing external code and making network calls to user-defined endpoints without strict sandboxing warrant a 'suspicious' classification.
- External report
- View on VirusTotal