Back to skill
Skillv1.3.1
VirusTotal security
Index Cards · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
BenignApr 30, 2026, 3:51 AM
- Hash
- 41b9f529cc85dfa3b14458505b9b05f924363d3352ccfd192fd46ad19d06c55b
- Source
- palm
- Verdict
- benign
- Code Insight
- Type: OpenClaw Skill Name: index-cards Version: 1.3.1 The skill is designed to send physical greeting cards and explicitly prioritizes user consent and privacy. It instructs the agent to 'Ask before accessing personal data' and 'Never read contacts, messages, email, or local files without the user's explicit permission' in SKILL.md. Local file access to `~/indexcards/birthdays.json` is opt-in and user-controlled. Environment variable access (e.g., `GOOGLE_API_KEY`) is for a stated purpose (Gemini API integration) and not for general exfiltration. All network endpoints are legitimate for the skill's function. There is no evidence of intentional harmful behavior, data exfiltration to unauthorized endpoints, or malicious prompt injection attempts against the agent.
- External report
- View on VirusTotal