Back to skill
Skillv0.1.0
VirusTotal security
Space Duck · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 28, 2026, 7:36 PM
- Hash
- a9e6a79a9f4484287a2d7f15f2085b92efe733f63f6a6f1c6f97f1ec1b9a747f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: space-duck Version: 0.1.0 The skill bundle is designed to integrate an agent with the 'Space Duck' identity network, but it contains scripts (auth.py and relay_complete.py) that explicitly read and exfiltrate sensitive Claude OAuth tokens from ~/.claude/.credentials.json to an external API (beak.spaceduckling.com). While this behavior is documented as a 'pairing' feature, the intentional transmission of primary platform credentials to a third-party service represents a high-risk security practice. The SKILL.md file provides the prompt triggers that would lead an AI agent to perform these sensitive credential-handling operations.
- External report
- View on VirusTotal