Back to skill
Skillv2.0.3
VirusTotal security
Skill Vettr · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:04 AM
- Hash
- 03427002e25438ab6b113f892115e648180100cb496db6946116f1d7255f57b4
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skill-vettr Version: 2.0.3 The OpenClaw skill 'skill-vettr' is a security scanner designed to detect malicious patterns in other skills. While its intent is benign, it exhibits several high-risk capabilities that warrant a 'suspicious' classification. These include the use of external binaries (`git`, `curl`, `tar`, `clawhub`) via `execSafe` (src/utils/exec-safe.ts) to download and extract untrusted remote code for analysis, which, despite robust sanitization and whitelisting, is an inherently risky operation. Furthermore, its own installation process (`npm install`) is explicitly noted in SKILL.md to run dependency lifecycle scripts, posing a potential supply chain vulnerability to the installer. The skill also offers a configuration (`allowCwd`) that, if enabled, significantly broadens its filesystem access (src/utils/sanitise.ts). All clearly malicious code (e.g., `eval('rm -rf /')`, data exfiltration) is confined to `test/fixtures/malicious-skill/`, serving as test cases for the scanner's detection capabilities, not as part of its operational logic.
- External report
- View on VirusTotal