Back to skill
Skillv0.1.1
VirusTotal security
Whoo CLI · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:23 AM
- Hash
- 721a3b8338e31123d95030960932abeb9518b1605b48471fc85d2de1b5600233
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: whoo-cli Version: 0.1.1 The skill is classified as suspicious primarily due to the supply chain risk introduced by instructing the agent to install an external, globally available package (`@luisgot/whoo`) via `bun add -g` or `npm install -g` in `SKILL.md`. While this is a common pattern for CLI-based skills and the skill itself demonstrates good security practices (e.g., explicit prompt injection defense for JSON output and a data privacy notice), the act of installing an arbitrary external package from a public registry presents a significant vulnerability if the upstream package were to be compromised or malicious. There is no direct evidence of malicious intent within the provided files, but the reliance on an external, globally installed dependency elevates the risk beyond benign.
- External report
- View on VirusTotal