Back to skill
Skillv1.0.6
VirusTotal security
Paired — Bluetooth Phone Bridge · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 10:41 PM
- Hash
- c31057b8de3743a372fb1532d3a4da67aa761f97d7b6e27e05625560479bb772
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: paired Version: 1.0.6 The 'paired' skill bundle provides an extensive suite of tools to bridge an OpenClaw agent with a user's Android phone via Bluetooth and ADB. It includes high-risk capabilities such as executing sudo commands (in bt-recover.py and bt-pan.py), maintaining persistent systemd services, and full control over a mobile device via ADB, including automated screen unlocking using a stored PIN (paired-sms-send.py). While the developer has implemented several robust security measures—most notably an HMAC-signed inbox for command dispatch (paired-inbox-hook.py) and trusted-number allowlists for outgoing calls and SMS—the bundle's broad access to system-level primitives and external APIs (Telegram, Gemini, Open-Meteo) creates a significant attack surface. The complexity of the command dispatch logic and the requirement for passwordless sudo for certain functions make this bundle high-risk, although no clear evidence of intentional malice was found.
- External report
- View on VirusTotal