Back to skill
Skillv1.0.0
VirusTotal security
Devlog · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:32 AM
- Hash
- 58785621735a6afcc2057ce1721a4b4fb30127c386bfeee2ad0ac695ba703b08
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: devlog Version: 1.0.0 This skill is classified as suspicious due to its broad file system access and direct use of sensitive environment variables, even though these capabilities are ostensibly for its stated purpose. Specifically, `SKILL.md` instructs the agent to manually discover sessions by checking broad user directories (`~/.local/share/`, `~/.config/`, `~/Library/`), and `references/platforms/gemini-cli/list-sessions.sh` scans common development directories (`~`, `~/dev`, `~/projects`, etc.) up to three levels deep to find project roots. While the intent is to locate session data, the wide scope of these searches presents a significant risk for unintended data exposure if the agent were to misinterpret instructions or be prompted maliciously. Additionally, `references/publishing/hashnode/publish.sh` directly accesses `HASHNODE_PAT` and `HASHNODE_PUBLICATION_ID` from environment variables for publishing, a high-risk operation, despite `SKILL.md` instructing the agent to prompt the user if these are missing.
- External report
- View on VirusTotal