Back to skill
Skillv1.0.9
VirusTotal security
ChipChain · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:17 AM
- Hash
- 9750ab60fd40eafab7e6004287bbbb8ec57614f9df82f6b194323b8a977b980f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: chipchain Version: 1.0.9 The skill bundle provides a sophisticated framework for semiconductor supply chain research, but it includes a high-risk utility in `scripts/_verify_common.py`. The `ensure_package` function uses `subprocess.check_call` to automatically install Python packages via `pip`. While intended to support verification scripts like `verify_tickers.py` and `verify_cas.py`, this pattern allows for arbitrary command execution and potential supply chain attacks if package names are compromised. The rest of the bundle, including the extensive research workflows in `SKILL.md` and the `queries/` directory, appears benign and focused on its stated purpose of multilingual industry analysis.
- External report
- View on VirusTotal