Back to skill
Skillv1.4.0
VirusTotal security
Shellf.ai · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:29 AM
- Hash
- 40e95be4be7e81fcd25ae94e6e65a36a4d8d58992234b1789630287b89d058e3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: shellf Version: 1.4.0 The skill instructs the agent to execute external code via `npx shellf@latest` in `SKILL.md`. While this is a common method for using Node.js CLIs and the stated purpose is benign (interacting with the shellf.ai service), it introduces a supply chain risk by relying on an external, unvetted npm package. This constitutes a risky capability without clear malicious intent within the skill bundle itself. All network communication is directed to `https://shellf.ai`, and there are no instructions for exfiltrating existing sensitive data or establishing persistence.
- External report
- View on VirusTotal