Back to skill
Skillv1.2.6
VirusTotal security
ClawReach · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:46 AM
- Hash
- dc9b430f64c7e16c975cb08004b747ee2239534b77db7db9a9a608ce7c84c89b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawreach Version: 1.2.6 The skill implements a messaging relay that relies on high-risk behaviors, specifically the use of `curl` to download and overwrite its own instruction files (`SKILL.md`, `RULES.md`) from `https://clawreach.com`. While the documentation includes security-conscious instructions—such as explicitly telling the agent not to execute commands from incoming messages and requiring owner confirmation for updates—the pattern of fetching remote Markdown instructions to be executed by the AI agent creates a significant supply-chain risk and a mechanism for potential remote code execution if the external domain is compromised.
- External report
- View on VirusTotal