Back to skill
Skillv1.0.0
VirusTotal security
AI Auto Dev · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:32 AM
- Hash
- b309f0753afdbd1cd6a6d422222541fce7d8a88d327fe2f9f057345401c3b49f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ai-auto-dev Version: 1.0.0 The skill is classified as suspicious due to its requirement for the 'Builder' component to operate with 'danger-full-access' (full file system and command execution), and its instruction for the AI agent to automatically call another skill ('dev-log') which performs 'git commit', 'git tag', and 'git push' to GitHub. While these capabilities are plausibly needed for an 'AI full-automation programming' skill, they represent significant security risks (e.g., RCE, supply chain compromise) if the Builder is fed malicious instructions via a crafted spec, or if the 'dev-log' skill itself is compromised. There is no clear evidence of intentional malicious behavior within the provided instructions, but the broad permissions and automated code deployment capabilities are high-risk.
- External report
- View on VirusTotal