Back to skill
Skillv1.2.1
VirusTotal security
企查查 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:19 AM
- Hash
- 98e092ab46f5f3475c33009018ffa98bf5f38a89b271411c8e43afd017ff9d98
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: qichacha Version: 1.2.1 The skill contains a hardcoded Tavily API key in `qichacha.js`, which is a significant security vulnerability (credential leak). While the script's logic is consistent with its stated purpose of querying enterprise information by using the Tavily search API to aggregate data, the inclusion of static credentials and the use of unencrypted HTTP mirrors in `package-lock.json` (mirrors.tencentyun.com) are high-risk practices.
- External report
- View on VirusTotal