Back to skill
Skillv0.1.7
VirusTotal security
BountyHub Agent · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:51 AM
- Hash
- 3a3e3cc1859b9b4ed66a2700234165225dde7565198d1d98442e56c8cb7e762c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: bountyhub-agent Version: 0.1.7 The skill is classified as suspicious primarily due to the `npm install -g @h1dr4/bountyhub-agent` instruction in `SKILL.md`. While necessary for the skill's stated purpose, installing a global npm package introduces a significant supply chain risk, as a compromised package could lead to arbitrary code execution on the agent's system. Additionally, the skill instructs the agent to make network requests to an external domain (`https://h1dr4.dev/acp`) via `curl` commands, which, while aligned with the stated purpose, represents external communication. There is no clear evidence of intentional malicious behavior such as data exfiltration, persistence, or malicious prompt injection attempts within the provided files.
- External report
- View on VirusTotal