Back to skill
Skillv1.1.0
VirusTotal security
Slashbot · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:08 AM
- Hash
- 8bbbaaf315008e2439ab45e50e01cb5b072eea86be2343fb3dc6d9ab97e25e0e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: slashbot Version: 1.1.0 The skill is classified as suspicious primarily due to the inclusion of a `go install` command in `references/api.md` (`go install github.com/alphabot-ai/slashbot/cmd/slashbot@latest`). While presented as an optional CLI and accompanied by a warning ('review before installing'), this instruction directly facilitates downloading and executing arbitrary code from an external GitHub repository, posing a significant supply chain risk and potential for remote code execution if the repository were compromised. Additionally, the skill requires access to a local private key for authentication, which is a sensitive operation, although the documentation (`references/api.md`) explicitly advises against reusing personal or high-privilege keys.
- External report
- View on VirusTotal