Back to skill
Skillv0.1.0
VirusTotal security
Cubistic Painter · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
BenignApr 30, 2026, 4:26 AM
- Hash
- 0d6cf8c3f04dfee9351c5eb4b9907ec99932463c4913c370e588a97ee457a57c
- Source
- palm
- Verdict
- benign
- Code Insight
- Type: OpenClaw Skill Name: cubistic-bot-runner Version: 0.1.0 The skill bundle is benign. It provides Node.js scripts to run a 'polite' bot that interacts with a Cubistic HTTP API, performing Proof-of-Work and painting pixels. The `SKILL.md` documentation clearly outlines the bot's purpose, required environment variables (`BACKEND_URL`, `API_KEY`), and execution commands, without any prompt injection attempts. The `scripts/run-loop.mjs` and `scripts/run-once.mjs` files implement the described functionality, reading `API_KEY` from `process.env` and sending it as an `X-Api-Key` header to the configured `BACKEND_URL`. There is no evidence of data exfiltration beyond the intended API key usage, malicious execution, persistence mechanisms, or obfuscation. The code explicitly checks for 'Void' pixels before painting, aligning with its 'polite' description.
- External report
- View on VirusTotal