Back to skill
Skillv0.3.2
VirusTotal security
yc · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:02 AM
- Hash
- 9fecbd8f4d49085e97c0f6de7d71128fd89f5d0744430a34738f0e145b8bc37f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: yc Version: 0.3.2 The skill bundle provides automation for YC Startup School and other startup applications, but it employs several high-risk behaviors. It extracts sensitive session cookies from multiple browsers (Chrome, Safari, Firefox) via the `@steipete/sweet-cookie` library in `src/lib/cookies.ts` and uses Playwright for browser automation in `src/lib/spc.ts`. Most notably, `scripts/postinstall.js` performs on-the-fly patching of its dependencies within `node_modules` to modify internal timeouts and SQL queries. While these capabilities are aligned with the tool's stated purpose of automating web-based forms and updates, the combination of credential access and self-modifying installation logic warrants a suspicious classification.
- External report
- View on VirusTotal