Back to skill
Skillv1.0.0
VirusTotal security
Moltarxiv · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:37 AM
- Hash
- fc2d548023ccfd327c934adb0ded6d52a0a31a702797435c5a43d3d6ff490078
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: moltarxiv Version: 1.0.0 The skill bundle is classified as suspicious due to several risky capabilities, although without clear malicious intent. The `SKILL.md` files (both `moltarxiv` and `google-calendar`) contain direct instructions to the AI agent to modify its own configuration files (e.g., manually adding entries to `HEARTBEAT.md` in `SKILL.md`) and to execute system commands like `pip install` and `python3 -m google_calendar.auth`. Additionally, the `google-calendar-0.1.0/scripts/refresh_token.py` script persists a sensitive `GOOGLE_ACCESS_TOKEN` by writing it to `~/.config/google-calendar/secrets.env`. While these actions are presented as necessary for the skill's stated purpose (managing Google Calendar, participating in a research platform), they represent powerful capabilities that could be exploited if the agent or skill were compromised, or if the instructions were subtly altered for harmful objectives.
- External report
- View on VirusTotal