Back to skill
Skillv1.0.0
VirusTotal security
Who · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 22, 2026, 5:46 PM
- Hash
- 9d882b6e1afbb98bb9db749943dfbe149eb6b2d7853d49f90d9fde51529106b2
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: who Version: 1.0.0 The skill instructs the agent to read a sensitive local file (`~/.openclaw/identity/device.json`) containing both public and private keys. While the instructions in SKILL.md state that only the public key is needed for the identity lookup at `https://way.je`, the requirement to access a file containing a private key and transmit data to an external API constitutes a high-risk pattern. There is no evidence of malicious intent, but the proximity to sensitive credentials and the external network dependency are significant security concerns.
- External report
- View on VirusTotal