Back to skill
Skillv0.2.1
VirusTotal security
Avatar Runtime · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:29 AM
- Hash
- 0a47850b1caf89dc6948ec93404e6d52a481463df49ac23b22117b888e44b002
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: avatar-runtime Version: 0.2.1 The `avatar-runtime` skill (v0.2.1) instructs the agent to execute external code via `npx` and run local bash scripts (e.g., `ensure-default-vrm-sample.sh`) that are not included in the bundle. It requires broad permissions, including `Bash(bash:*)` and `Bash(npm:*)`, and handles sensitive environment variables like `HEYGEN_API_KEY`. While the `SKILL.md` documentation provides explicit security warnings and the functionality aligns with its stated purpose, the reliance on fetching and executing unverified remote artifacts at runtime constitutes a high-risk supply chain behavior.
- External report
- View on VirusTotal