Back to skill
Skillv3.0.1
VirusTotal security
Taste · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 28, 2026, 7:46 AM
- Hash
- f62d2e7ba29cdd32c7b4f87924a0e9e713c4b222f056fcd53045b253aa640b10
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ocas-taste Version: 3.0.1 The skill implements a high-risk self-update mechanism in SKILL.md (the `taste.update` command) that downloads and overwrites its own files from a remote GitHub repository using shell commands, creating a significant path for remote code execution (RCE) if the source is compromised. Additionally, the skill is designed to scan the user's private email and calendar for sensitive transactional data from various services (Amazon, DoorDash, hotel bookings), as detailed in references/email_extraction.md. While these behaviors are documented and aligned with the stated goal of personalized recommendations, the combination of broad sensitive data access and an unverified remote update path presents a substantial security risk.
- External report
- View on VirusTotal