Back to skill
Skillv1.0.0
VirusTotal security
Forge · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:31 AM
- Hash
- 61573ecc14eae9c434b4b3f77e9491b2c2db59bf5282ddfa7512847abfd40204
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: forge Version: 1.0.0 The skill exhibits broad and high-risk capabilities, including extensive shell command execution (e.g., `${BUILD_COMMAND}`, `${RUN_COMMAND}`, `test command`, `git commit`, `git revert`, `npx`) and significant file system read/write access (modifying source code, creating/overwriting `.env`, writing logs, specs, ADRs) as detailed in SKILL.md. While these actions are plausibly needed for its stated purpose of autonomous quality engineering, they represent a high potential for abuse if the project's configuration (`forge.config.yaml`) or auto-discovered commands are malicious. Additionally, the repeated use of `npx @claude-flow/cli@latest` introduces a supply chain risk, as the `@latest` tag means it will always fetch the newest version, which could be compromised.
- External report
- View on VirusTotal