Back to skill
Skillv1.0.1
VirusTotal security
Chitin Cert · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:30 AM
- Hash
- 956de592ab76cce52e6c806fb2225b32ad9e67ad887228dafe22aae635576db9
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: chitin-cert Version: 1.0.1 The skill is classified as suspicious primarily due to the inclusion of the `npx -y chitin-mcp-server` command in `skill.md` and `llms.txt`. While presented as a legitimate tool for AI agent integration, executing an external npm package introduces a supply chain vulnerability. If the `chitin-mcp-server` package were compromised or malicious, its execution could lead to unauthorized code execution. However, there is no clear evidence of intentional malicious behavior within the provided skill bundle itself, such as data exfiltration or explicit instructions for the agent to perform harmful actions. The `skill.json` file explicitly lists `allowed_domains` as `certs.chitin.id` and `chitin.id`, which is a positive security control for network interactions, but does not mitigate the local execution risk of `npx`.
- External report
- View on VirusTotal