Back to skill
Skillv2.2.5
VirusTotal security
Ai Bill Clawhub · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:45 AM
- Hash
- 64c1fae023b6bda6f858de79c34de9315351d6d606ed5481f465f12077747306
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ai-bill-clawhub Version: 2.2.5 The skill is classified as suspicious due to several high-risk capabilities and questionable practices. The `app/collector.js` script reads sensitive OpenClaw agent session data (`/root/.openclaw/agents/main/sessions/sessions.json` and `/root/.openclaw/openclaw.json`) and performs high-privilege writes to system-wide web server directories (`/var/www/html/bill/usage_live.json`, `/var/www/html/bill/usage.json`). Additionally, the `app/sync_prices.sh` script declares fetching prices from a specific GitHub repository (`openclaw/project-bill`) but then hardcodes the content, creating a discrepancy that raises supply chain concerns. A hardcoded weak password ('1234') for a client-side lock screen is also present in `app/index.html`, indicating poor security hygiene. While these actions are not explicitly malicious, they represent significant vulnerabilities and powerful capabilities that could be exploited.
- External report
- View on VirusTotal