Back to skill
Skillv0.1.3
VirusTotal security
Clawpm · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:56 AM
- Hash
- 85d6425f5bb40817aed198a33b9e269ac2d8724528013962bb02b66dc3ab37e0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawpm Version: 0.1.3 The skill bundle is classified as suspicious due to a significant supply chain vulnerability. The `SKILL.md` instructs the OpenClaw agent to install the `clawpm` package directly from a Git repository (`git+https://github.com/malphas-gh/clawpm`) using `uv`. This method bypasses standard package registry security checks, making the installation highly dependent on the integrity of the external GitHub repository. If the upstream repository were compromised, malicious code could be injected into the installed `clawpm` tool, leading to potential remote code execution or data exfiltration on the agent's system. While the provided files themselves do not contain explicit malicious code or prompt injection attempts, this installation method represents a critical vulnerability.
- External report
- View on VirusTotal