Back to skill
Skillv2.6.2
VirusTotal security
Js Eyes · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:38 AM
- Hash
- 8d22845525827c3a354bf5d34a0d0cae034bef072bf77247706466d93cd58c69
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: js-eyes Version: 2.6.2 The js-eyes skill bundle provides powerful browser automation capabilities, including raw JavaScript execution (js_eyes_execute_script) and cookie access (js_eyes_get_cookies), which are inherently high-risk. The SKILL.md file contains explicit instructions for the AI agent to enable 'allowRawEval: true' in the host configuration (~/.js-eyes/config/config.json), which intentionally lowers the security posture to allow arbitrary JS execution. Furthermore, the plugin uses intrusive techniques like monkey-patching the global 'node:child_process' module in openclaw-plugin/windows-hide-patch.mjs. While the package demonstrates significant security hardening—including egress filtering, taint tracking for sensitive data, and a custom safe ZIP extractor—the combination of high-risk functionality and instructions to bypass security defaults is concerning.
- External report
- View on VirusTotal