Back to skill
Skillv2.3.0+5
VirusTotal security
Latchkey · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:05 AM
- Hash
- cb79da9e0ea569d5bd0ec09cad96bc3ed3e224293206621db5dd4c0e0f8e303c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: latchkey Version: 2.3.0+5 The 'latchkey' skill acts as a wrapper for a CLI tool designed to manage and inject sensitive API credentials (e.g., AWS, Slack, GitHub) into curl commands. While the instructions in SKILL.md are transparent and the behavior is aligned with the stated purpose, the skill involves high-risk capabilities including handling authentication tokens and executing network requests via an external npm package dependency. Per the analysis criteria, tools providing shell and network access for credential management are classified as suspicious due to the inherent risk of the functionality, even in the absence of explicit malicious intent.
- External report
- View on VirusTotal