Back to skill
Skillv0.1.5
VirusTotal security
Tools Ui · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:31 AM
- Hash
- 5cddd1ba82442072e8537b110903c862bee360090d9750af38f3ccc8330261db
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: tools-ui Version: 0.1.5 The `SKILL.md` file contains `npx` commands (`npx shadcn@latest add ...` and `npx skills add ...`) that instruct a developer to fetch and execute remote resources from `https://ui.inference.sh` and `inference-sh/skills`. While these commands are presented as developer setup steps for UI components and appear benign in their immediate intent, they represent a supply chain risk by fetching and executing external code/configuration. This constitutes a 'risky capability' due to network access and local execution, even without clear evidence of intentional malicious behavior like data exfiltration or backdoors.
- External report
- View on VirusTotal