Back to skill
Skillv0.9.13
VirusTotal security
HeyLead · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:36 AM
- Hash
- 8dc8285da0dd6e2234e4ac81824785d40bb2d2be3e6514c76f1f3acad3de786c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: heylead Version: 0.9.13 The skill is classified as suspicious primarily due to the `curl -LsSf https://astral.sh/uv/install.sh | sh` instruction in `SKILL.md` for installing the `uv` prerequisite. While `uv` is a legitimate tool and this is a common installation method, it represents a supply chain vulnerability by executing a remote script, which could lead to arbitrary code execution if the source (`astral.sh`) were compromised. Additionally, the skill handles sensitive LinkedIn authentication tokens and personal data, routing AI call content to external backends (HeyLead or Gemini), which, despite privacy claims of local storage for contacts/messages, involves significant trust in the skill's unseen implementation.
- External report
- View on VirusTotal