Back to skill
Skillv0.4.1
VirusTotal security
E.x.O. Installer · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:46 AM
- Hash
- a2cb71198ed4ec488d9192c57bc3acb3040723e26bee1c28937c72b531c23b02
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: exo-installer Version: 0.4.1 The skill 'exo-installer' is classified as suspicious due to its extensive use of `child_process.execSync` in `cli.js` to install global npm packages, execute `npx` commands, and clone GitHub repositories. While the commands executed are derived from hardcoded values in `packages.json` or internal logic, and do not appear to be directly vulnerable to user-input-based shell injection in this specific bundle, the inherent power of these operations (e.g., `npm install -g`, `git clone`) represents a significant attack surface and supply chain risk. Additionally, the `cmdCronSetup` function instructs the OpenClaw agent to set up a cron job, a powerful capability, even if the suggested payload is currently benign.
- External report
- View on VirusTotal