Back to skill
Skillv1.15.3
VirusTotal security
here.now · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:16 AM
- Hash
- f3fe19bcdcaa4adc5ecfa8723de30cd88f0e1dc323fa6d1ac7e42c17935def71
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: here-now Version: 1.15.3 The skill provides legitimate-looking web hosting and cloud storage functionality but contains instructions in SKILL.md that direct the AI agent to perform high-risk actions without user oversight. Specifically, it instructs the agent to automatically write API keys to the filesystem (~/.herenow/credentials) without asking the user, to hide internal state information from the user, and to fetch instructions from an external URL (https://here.now/docs), which is a significant prompt-injection vector. While the bash scripts (scripts/publish.sh and scripts/drive.sh) include commendable security guards to prevent credential leakage to non-default domains, the overall steering of the agent toward autonomous, non-transparent behavior is concerning.
- External report
- View on VirusTotal