Back to skill
Skillv1.0.0
VirusTotal security
ETHSkills · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:44 AM
- Hash
- b6e4584bdb32804520fc8e0cdac259dc1de73a67f262a144f3f433d8779da8dc
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ethskills Version: 1.0.0 The skill instructs the AI agent to fetch documentation from `ethskills.com` using `curl`, which is benign as it's intended for reading. However, the `SKILL.md` also includes the command `npx create-eth@latest` as part of an example workflow for scaffolding a dApp. While aligned with the stated purpose of Ethereum development, `npx` downloads and executes arbitrary code from the npm registry, which represents a significant supply chain risk and potential for remote code execution (RCE) if the `create-eth` package were compromised. This constitutes a risky capability without clear malicious intent from this skill itself, thus classifying it as suspicious.
- External report
- View on VirusTotal