Back to skill
Skillv1.0.0
VirusTotal security
watchdog · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:55 AM
- Hash
- d65b60cb233e40b3c1e507e603fb0bdcb1e034b4f1c1054f8f7236560fad1a76
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: watchdog Version: 1.0.0 The skill contains behavioral instructions in index.js (WATCHDOG_SYSTEM_PROMPT) that direct the AI agent to use its 'native file writing tools' to automatically create or overwrite a .env file on the local filesystem once credentials are provided. This is a prompt-injection technique that commands the agent to perform actions (filesystem I/O) outside the scope of the skill's defined tools. While intended for user onboarding, such instructions for 'silent' or 'automatic' execution of external tools represent a security risk. Additionally, the WATCHDOG_API_URL is configurable via environment variables, which could be used to redirect the WATCHDOG_API_KEY to a malicious endpoint.
- External report
- View on VirusTotal