Back to skill
Skillv0.1.0
VirusTotal security
Snipgrapher - generate images from code snippets · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:18 AM
- Hash
- 3aaeec6e87ee2d0f4f5bd97baab463f8ac15ac6afd9e9f9d5bfea4068630df7b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: snipgrapher Version: 0.1.0 The skill instructs the AI agent to use `npx --yes snipgrapher` to install and execute the `snipgrapher` tool from npm if it's not found. This instruction, found in `rules/rendering-workflows.md` and `rules/setup-and-configuration.md`, creates a supply chain vulnerability. Automatically downloading and executing code from a public registry without user confirmation (due to `--yes`) poses a risk of arbitrary code execution if the `snipgrapher` npm package (or a typosquatted version) were compromised. While the skill's stated purpose is benign, this practice introduces a significant security risk.
- External report
- View on VirusTotal