VirusTotal Hash Analyzer

PassAudited by ClawScan on May 1, 2026.

Overview

This appears to be a straightforward VirusTotal lookup helper, but it uses your VirusTotal API key and sends queried indicators to VirusTotal.

This skill looks purpose-aligned for checking hashes, URLs, domains, and IPs with VirusTotal. Before installing, be comfortable providing a VirusTotal API key and sending any queried indicators to VirusTotal, and verify the publisher/version because the registry provenance is limited.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low

#ASI03: Identity and Privilege Abuse

What this means

Queries may consume the user's VirusTotal quota and are associated with the configured API key.

Why it was flagged

The helper reads a VirusTotal API key from the environment to authenticate lookups. This is expected for the stated integration, but it uses the user's VirusTotal account identity and quota.

Skill content

key = os.environ.get("VT_API_KEY", "").strip()

Recommendation

Use a dedicated VirusTotal API key with the minimum needed permissions and rotate it if it may have been exposed.

Low

#ASI07: Insecure Inter-Agent Communication

What this means

Any indicator submitted for lookup may be visible to or logged by VirusTotal according to that service's policies.

Why it was flagged

The script sends queried IOC values to the VirusTotal API. This is central to the skill's purpose and disclosed, but IOCs such as internal domains, URLs, or IPs can be sensitive.

Skill content

VT_API_BASE = "https://www.virustotal.com/api/v3"

Recommendation

Avoid submitting confidential internal URLs, hostnames, or incident indicators unless your organization allows sharing them with VirusTotal.

Low

#ASI04: Agentic Supply Chain Vulnerabilities

What this means

It may be harder to confirm the maintainer, source repository, or exact version lineage of this skill.

Why it was flagged

The registry metadata has limited provenance and differs from the included artifact metadata that declares version 2.0.0. No risky install behavior is shown, but the release identity should be checked.

Skill content

Source: unknown; Homepage: none; Version: 1.0.2

Recommendation

Verify the publisher and compare the packaged files with a trusted source before relying on it in sensitive environments.