Back to skill
Skillv1.0.0
VirusTotal security
xfetch · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:19 AM
- Hash
- 0b42ea4f2ac577ca8d280f3eff7c9e9f62470450b3b7be4144c7f182aba97a64
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: xfetch Version: 1.0.0 The xfetch skill provides an AI agent with the capability to extract sensitive browser cookies (via `xfetch auth extract`) and access private user data including Direct Messages and notifications. While these features are aligned with the stated purpose of a Twitter scraper, the ability to programmatically retrieve browser credentials and private communications poses a high risk for data exfiltration and credential theft if the agent is manipulated. No explicit malicious exfiltration endpoints or obfuscated commands were found in the SKILL.md or _meta.json files.
- External report
- View on VirusTotal