Back to skill
Skillv1.0.0
VirusTotal security
Clawshell 0.1.0 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:24 AM
- Hash
- b9002620980e8c0903fc3626c9f42dec8d225a93591f4f35044d39d892d4c50a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawshell-0-1-0 Version: 1.0.0 The skill's stated purpose in SKILL.md is to provide a human-in-the-loop security layer, which is a benign and security-enhancing objective. However, the `package.json`, `package-lock.json`, and `pnpm-lock.yaml` files declare a dependency on a package named `package-lock.json` from the npm registry. This is highly unusual and indicates a potential supply chain risk or a packaging error, as a package should not depend on a lockfile itself. While there is no clear evidence of intentional malicious behavior by the skill's author, this dependency introduces a significant vulnerability and makes the skill suspicious.
- External report
- View on VirusTotal