Back to skill
Skillv1.0.3
VirusTotal security
Local Claw Skill Nest Client · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:25 AM
- Hash
- 74963ac10792001bb9cefef3ea7da3975d607fd9df1388bbf7bffbb5ae809973
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: claw-skill-nest-client Version: 1.0.3 The skill acts as a client for a local/private skill repository, providing functionality to download, upload, and install code packages. It uses 'child_process.spawn' to execute shell commands (powershell and unzip) for archive extraction in 'scripts/manage_local_claw_skill_nest.ts', which contains a potential command injection vulnerability if a remote server returns a malicious skill name. While the behavior is consistent with the stated purpose of managing local skills, the combination of network fetching and shell execution of downloaded artifacts represents a significant security risk.
- External report
- View on VirusTotal