Back to skill
Skillv0.1.0
VirusTotal security
Libvips Image · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:42 AM
- Hash
- af8b0611504cf06a63f99396d12a288d7f0cd71bb2b4a61496596c346d690dca
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: libvips-image Version: 0.1.0 The skill bundle is classified as suspicious due to the `scripts/install.sh` utilizing a `curl | sh` pattern to install the `uv` package manager from `https://astral.sh/uv/install.sh`. While `uv` is a legitimate tool and this installation method is common, executing remote code directly via `curl | sh` introduces a supply chain risk. There is no clear evidence of intentional malicious behavior such as data exfiltration, persistence, or unauthorized remote control within the skill's code or instructions, but this installation method represents a significant vulnerability if the remote source were compromised.
- External report
- View on VirusTotal