Back to skill
Skillv0.2.0
VirusTotal security
Clawatar · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:46 AM
- Hash
- 544ff301db2f3b150eea293e9acd759cdfa8cc0308174de81f0565d90642a481
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawatar Version: 0.2.0 The skill's installation process involves cloning a remote Git repository and installing npm dependencies, introducing supply chain risks. More critically, the `SKILL.md` instructs the AI agent to execute arbitrary Node.js code via `node -e` to interact with the local WebSocket server. While the provided example is benign, this capability presents a significant prompt injection vulnerability, allowing for potential arbitrary code execution (RCE) if an attacker can control the input to the `node -e` command.
- External report
- View on VirusTotal