Back to skill
Skillv0.9.0
VirusTotal security
Lunar Calendar · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:53 AM
- Hash
- 04b97311986e07107e81e60a1e2fbaf35e2120c4c734ce4c806a94f20c1a7f26
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: lunar-calendar Version: 0.9.0 The skill bundle is primarily designed for lunar calendar calculations and publishing the project. The `SKILL.md` actively implements strong prompt-injection defenses by explicitly instructing the AI agent to use a specific script (`scripts/lunar_calculator.py`) and forbidding it from generating its own code or over-exposing information. However, the `github_auto_setup.sh` script, which is generated and intended for publishing, embeds the `GITHUB_TOKEN` directly in the `git remote add origin` URL. While its intent is to publish this specific project, this practice exposes the token in command history and potentially logs, representing a significant security vulnerability (weak credential handling) that could lead to unauthorized access if the token is compromised. Additionally, `scripts/simple_validator.py` is a mock validator that does not actually test the core calculation logic, leading to a false sense of validation, which is a functional flaw but not malicious.
- External report
- View on VirusTotal