Back to skill
Skillv1.0.0
VirusTotal security
CrabPet · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
BenignApr 30, 2026, 4:37 AM
- Hash
- 7e83e8fbe10db08b937de63dcdf11c905f8d6328c43016165bbe6e0c6cd3f9d6
- Source
- palm
- Verdict
- benign
- Code Insight
- Type: OpenClaw Skill Name: crabpet Version: 1.0.0 The OpenClaw CrabPet skill is classified as benign. Its core functionality involves reading OpenClaw's own memory logs (`memory/YYYY-MM-DD.md`) to calculate pet stats, which is explicitly stated and necessary for the pet's growth. The `SKILL.md` instructions guide the AI agent to execute local Python scripts (`scripts/pet_engine.py`) for pet management, without attempting to subvert the agent or access unrelated sensitive data. The `pet_engine.py` script uses `subprocess.run` to execute a local Chrome/Chromium binary in headless mode for generating PNG pet cards from a locally rendered HTML file (`web/card.html`). While `subprocess.run` is a powerful primitive, its usage here is highly constrained: arguments are fixed, the target URL is a local `file://` path, and data injected into the HTML is JSON-escaped, mitigating direct command or script injection risks. No evidence of data exfiltration, persistence mechanisms, or obfuscation was found. All file access and external program execution are aligned with the stated purpose of the skill.
- External report
- View on VirusTotal