Skill Cleaner

The skill's code, required binaries, and environment variable align with its stated purpose (VirusTotal checks, calling the OpenClaw gateway to trust hashes, and quarantining malicious files); it is high-privilege but coherent and limited to manual invocation.

This skill appears to do what it claims, but it is high-privilege. Before running: (1) run only in dry-run mode first to review planned actions; (2) back up your skills/ directory or use a disposable environment before using --fix; (3) verify the openclaw binary and Bridge RPC (security.trustSkill) are genuine and trusted on your system; (4) ensure your VIRUSTOTAL_API_KEY has appropriate scope and rate limits; (5) inspect the files the scanner flags (the scanner can produce false positives) before committing trust; (6) accept that --fix will rename/move files to .quarantine (destructive) and that npm install will fetch dependencies from the public registry.