Back to skill
Skillv1.1.0
VirusTotal security
Receipt Tracker · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:54 AM
- Hash
- b6f14fc3bb833ba7497c1d21b1443356528e7513aa106c98e206ba0b54a1959f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: receipt-tracker Version: 1.1.0 The skill bundle contains hardcoded plaintext credentials (username and password) for a Nextcloud instance within the `nc_worker.py` file. While the core logic in `SKILL.md` for receipt tracking and OCR via Gemini appears benign and functional, the inclusion of static credentials and an internal network URL (http://fedora:8082) represents a significant security risk and poor practice, though no clear evidence of intentional data exfiltration or malicious behavior was identified.
- External report
- View on VirusTotal