Back to skill
Skillv1.0.0
VirusTotal security
Todo Management 1.1.2 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:24 AM
- Hash
- 2f7205599abe7d1762f948d674d76b622e5950f09e8e8a104517b7694fcc6dbc
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: todo-management-1-1-2 Version: 1.0.0 The core functionality of the skill, implemented in `scripts/todo.sh` and guided by `SKILL.md`, appears benign and well-secured against common vulnerabilities like SQL injection and prompt injection. However, the skill bundle contains `package.json`, `package-lock.json`, and `pnpm-lock.yaml` files which declare a dependency on a package named 'package-lock.json' from the npm registry. This is highly unusual and suspicious, as the skill is a bash script and does not utilize Node.js or pnpm, making these dependency files extraneous and potentially indicative of an attempt to introduce an unexpected or inert dependency into the bundle.
- External report
- View on VirusTotal