Back to skill
Skillv1.0.0
VirusTotal security
city-life-copilot · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 9, 2026, 2:56 PM
- Hash
- 8284ef81016c166a756ecd6a30727a9de6b8f6c38e78739d96689f83b30a1949
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: city-life-copilot Version: 1.0.0 The skill bundle is classified as suspicious primarily due to the high-risk behavior in `scripts/install.js`, which performs global system modifications and fetches remote code. Specifically, it executes `npm install -g`, and uses `git clone` and `curl` to download and install artifacts from external domains such as `clawhub.ai` (e.g., `https://clawhub.ai/dlutwuwei/web-anti-crawl-fetch`) and `modelscope.cn`. While these actions are presented as necessary dependency installations for the agent's scraping and mapping functions, they represent a significant supply-chain risk and remote code execution (RCE) vector. No explicit evidence of data exfiltration or intentional backdoors was found in the logic of `scripts/dispatcher.js` or the instructions in `SKILL.md`, but the installation pattern exceeds standard safety boundaries for skill bundles.
- External report
- View on VirusTotal