Back to skill
Skillv1.0.1
VirusTotal security
Vouch · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:26 AM
- Hash
- 414e86b31748248d2765dd0c740062394f1987b2a540568063fde001cf48ab7a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: vouch-cli Version: 1.0.1 The skill bundle is classified as suspicious due to the inclusion of high-risk capabilities that, while potentially legitimate for the stated purpose of managing agent identity, present significant attack surfaces. Specifically, the `SKILL.md` instructs the agent to install the `vouch` CLI via `curl -fsSL https://vouch.directory/install.sh | bash`, which is a supply chain risk. More critically, the `vouch receive --handler ./process.sh` command allows the agent to execute arbitrary scripts as handlers for incoming messages, creating a potential Remote Code Execution (RCE) vulnerability if the agent is later prompted to create or modify `process.sh` with malicious content. Additionally, the `vouch agent deploy` command grants the agent the ability to deploy code to platforms like Vercel, which is a powerful and high-privilege operation. While there is no direct evidence of malicious intent within the provided files (e.g., no explicit instructions for data exfiltration or backdoor installation), these capabilities are inherently risky and could be exploited by a compromised agent or through prompt injection.
- External report
- View on VirusTotal