Back to skill
Skillv1.0.0
VirusTotal security
deso-research · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:44 AM
- Hash
- 0cd7b6ed4ee93d160c0609a9a5d7380a0741a067bf0e687bb31ce72d4a1e34e1
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: deso-research Version: 1.0.0 The skill is classified as suspicious due to the use of `npm install -g deso-ag` in `SKILL.md`. While this is a standard method for installing Node.js CLI tools, it introduces a supply chain risk where a compromised `deso-ag` package could lead to arbitrary code execution on the agent's host. Additionally, the skill accesses environment variables (`NEYNAR_API_KEY`, `BLUESKY_IDENTIFIER`, `BLUESKY_APP_PASSWORD`) which could contain sensitive API keys, although there are no explicit instructions within the provided files to exfiltrate this data. The prompt injection instructions in `SKILL.md` are benign, guiding the agent's output and analysis for the stated purpose.
- External report
- View on VirusTotal