Back to skill
Skillv1.0.1
VirusTotal security
发票查验 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 9:01 AM
- Hash
- 89d16253061e88ac1e119949f63f734cd5ca48399793de9e20a4360451165b8f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: cm-invoice-validate Version: 1.0.1 The skill facilitates invoice validation but contains high-risk instructions for the AI agent to perform self-updates and dependency installations via remote ZIP files. Specifically, SKILL.md and INSTALL.md direct the agent to use 'curl' and 'unzip' to download and execute code from 'http://clawmate.sogrand.cn:6080', creating a significant supply-chain risk and RCE vector. Additionally, the Python script (invoice_validate_client.py) accesses the Windows Registry (HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE) to retrieve API keys, which is an unusually privileged method for credential management in this context.
- External report
- View on VirusTotal