Back to skill
Skillv1.1.0
VirusTotal security
Proton Pass CLI · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:10 AM
- Hash
- 7de07fa6780330205f3d22a5e7dbc3b393aad09c9bd8e2f0b2109b11ef7a3943
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: proton-pass Version: 1.1.0 The skill bundle is classified as suspicious due to several high-risk capabilities, despite being aligned with its stated purpose as a password and secret manager. These include the installation method via `curl | bash` from an external URL (`proton.me`), the ability to import SSH private keys from `~/.ssh/` (documented in SKILL.md), and the `pass-cli run` and `pass-cli inject` commands which allow executing arbitrary commands with injected secrets or writing secrets to arbitrary files. While these are legitimate functionalities for a secret management tool, they expose a significant attack surface if the AI agent were to be compromised by a subsequent malicious prompt, and the skill itself does not lack these meaningful high-risk behaviors.
- External report
- View on VirusTotal