Back to skill
Skillv0.0.9
VirusTotal security
Kilo CLI Coding Agent · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:26 AM
- Hash
- ec8a0e67034ab81755df97139246894ddca0eeea425941082b3143ef9cfdc0dc
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: kilocli-coding-agent Version: 0.0.9 The skill is classified as suspicious due to its broad permissions (`network`, `exec` in `claw.json`) and the use of powerful system tools (`kilo`, `git`, `gh`, `tmux`, `npm`) which, if misused by a malicious prompt or a compromised dependency, could lead to significant harm. It requires a `GITHUB_TOKEN` with extensive permissions. However, the `SKILL.md` instructions themselves do not exhibit malicious intent; they provide legitimate use cases for a coding agent and even include explicit security warnings (e.g., 'NEVER start Kilo CLI in ~/openclaw/') to prevent the agent from operating in sensitive directories. There is no evidence of intentional data exfiltration, backdoor installation, or obfuscation within the provided files.
- External report
- View on VirusTotal