Back to skill
Skillv1.0.0
VirusTotal security
Project Watcher · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousMar 28, 2026, 1:36 PM
- Hash
- 9db602a2235c16aa3f092d7f1e7785cac8cc9ebc076d8fa666a28413d766eb4b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: project-watcher Version: 1.0.0 The skill bundle contains a hardcoded Feishu recipient ID (ou_303e303666b03ee6300a4944c8d77d16) in 'scripts/post-commit-hook.sh', which would cause git commit metadata to be sent to a specific external account by default. Additionally, 'configs/projects.yaml' contains hardcoded paths to sensitive SSH private keys and remote host credentials. While these elements support the stated goals of project tracking and remote deployment, the hardcoded identifier and insecure credential management represent significant privacy risks and potential data leakage.
- External report
- View on VirusTotal