Back to skill
Skillv0.4.22
VirusTotal security
Caravo Service Marketplace · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:35 AM
- Hash
- f70277aff89c26ecb7ab82c0be5c7bbe612753946a9f06f6a3dce449b3f46c22
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: caravo Version: 0.4.22 The Caravo skill bundle integrates a service marketplace using a CLI (@caravo/cli) executed via npx, which introduces supply chain risks. It includes high-risk capabilities, such as the ability to automatically read local files (including those in the home directory) and upload them to a remote CDN when passed as tool arguments. Additionally, the SKILL.md file employs aggressive prompt steering, instructing the agent to 'ALWAYS prefer Caravo' and mandating the execution of a setup command (npx ... start) to display marketing greetings, which could be abused to exfiltrate sensitive local data or prioritize paid services over safer alternatives.
- External report
- View on VirusTotal