Skillv2.0.2

VirusTotal security

Reliability Evidence Pack · External malware reputation and Code Insight signals for this exact artifact hash.

Scanner verdict

BenignApr 30, 2026, 4:55 AM

Hash: 491c0cae44f172d5a6ef11edab50b6c12202e66385f24be75b08d65205f37ac9
Source: palm
Verdict: benign
Code Insight: Package: (xpi) Version: Description: REP v1.0 demonstration bundle with mixed artifact types showcasing chain integrity, content hashing, and reliability evidence collection. The package implements a 'Reliability Evidence Pack (REP)' system designed for structured logging, validation, and auditing of agent operational data. The core logic, primarily in Node.js scripts, focuses on generating, storing, and verifying artifacts related to agent decisions, performance, health, and incidents. Key functionalities include local file system operations (reading/writing JSONL files to configurable paths), cryptographic hashing (SHA256) for artifact integrity and chain-of-custody, and comprehensive validation of artifact schemas and inter-artifact references. System information (e.g., CPU, memory, uptime, hostname, PID) is collected by specific scripts (e.g., `rep-heartbeat-cron.mjs`, `rep-performance-baseline.mjs`) but is logged locally as part of the reliability monitoring, not exfiltrated. The `rep.mjs serve` command initiates a local HTTP server to expose bundle statistics and artifacts, which includes `Access-Control-Allow-Origin: '*'`. While this could pose an information disclosure risk if exposed publicly without authentication, the project's documentation explicitly addresses this, warning about sensitive data in artifacts and recommending access control, indicating an intended use for local or controlled internal environments. No outbound network connections for data exfiltration or command-and-control are observed. External command execution is limited to controlled invocations of local scripts or package managers within a GitHub Action context. The project includes extensive documentation that clearly outlines its purpose, usage, and security considerations, reinforcing its legitimate intent. There is no evidence of obfuscation, arbitrary code execution, or other malicious behaviors. The non-functional nature of `cli/bin/cli.js` is a functional discrepancy, not a security vulnerability.
External report: View on VirusTotal