Back to skill
Skillv1.0.0
VirusTotal security
newpaper · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 16, 2026, 1:46 PM
- Hash
- 4609403b167ff0cb1436ccfcf3fa808050bd195db4b41f7c7b0f9f187814c24f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: newpaper-skill Version: 1.0.0 The skill bundle instructs the agent to clone a repository from a personal GitHub account (caoxinran102-sys/Paper2Poster) rather than the official organization repository (Paper2Poster/Paper2Poster) mentioned in the README. It explicitly directs the agent to solicit sensitive credentials (OPENAI_API_KEY) from the user and store them in a .env file before executing arbitrary Python code from the cloned repository. This pattern of using a non-official fork to handle user secrets and execute code is a high-risk indicator of a potential supply chain attack, although no explicit exfiltration logic is present in the provided files.
- External report
- View on VirusTotal