Back to skill
Skillv1.0.0
VirusTotal security
Apple Watch Health Sync · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:12 AM
- Hash
- 22d049ab316c654a8fae4c2dc33930c771c39a9896d742080b53c1dca0a1742f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: apple-watch Version: 1.0.0 The skill is classified as suspicious due to several high-risk capabilities and vulnerabilities. The `SKILL.md` instructs the agent to establish persistent services with high privileges (e.g., Windows Scheduled Task with `RunLevel Highest`) and explicitly commands the agent to 'SEND THE FILE TO USER' for `.env.json` (containing an API key) and to send screenshots. While the stated purpose for these actions is benign (server persistence, user configuration), these instructions create significant prompt-injection vulnerabilities, allowing an attacker to potentially exfiltrate arbitrary files or screenshots. Additionally, `scripts/setup.py` downloads external code from GitHub, introducing a supply chain risk, and the generated `server.py` listens on `0.0.0.0` with `Access-Control-Allow-Origin: *`, which is a security misconfiguration.
- External report
- View on VirusTotal