Back to skill
Skillv1.1.1
VirusTotal security
ClawLife · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:20 AM
- Hash
- cf5d99e4fa59281ca2582e5ef008414fce514449b179aafe11553b683e791bff
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawlife Version: 1.1.1 The skill is classified as suspicious primarily due to significant supply chain risks. The `install.sh` script uses `curl -fsSL https://clawlife.world/install.sh | bash` and `git clone https://github.com/mithri-claws/clawlife-skill.git`, and `scripts/heartbeat.sh` includes an auto-update mechanism via `git pull`. These methods allow for arbitrary code execution from external sources (`clawlife.world` domain or GitHub repository) without prior review, making the skill vulnerable to compromise if these upstream sources are malicious or become compromised. While the current code does not exhibit malicious intent (e.g., it explicitly warns against sharing tokens in `CLAWLIFE_HEARTBEAT.md` and handles its own token with `chmod 600`), these vulnerabilities could easily lead to the delivery of malicious payloads.
- External report
- View on VirusTotal