Back to skill
Skillv1.0.1
VirusTotal security
Clawket · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:41 AM
- Hash
- 918b091e70d2cd7d293d48c5b331f151a00889909f8696fd196a87064a1c6737
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawket Version: 1.0.1 The skill is classified as suspicious due to its direct handling and exposure of a sensitive authentication token. The `scripts/gateway-qr.sh` script explicitly reads the raw `gateway.auth.token` from `~/.openclaw/openclaw.json` using `python3 -c`. This token is then embedded into a QR code payload and saved as a PNG file (`~/.openclaw/media/clawket-qr.png`). The `SKILL.md` instructions then direct the AI agent to send this PNG file to the user. While the stated purpose is legitimate (mobile app pairing), the direct access and transmission of an unredacted authentication token represents a significant security risk, as it could be intercepted or misused if the user's environment or the agent's output channel is compromised. There is no evidence of intentional malicious exfiltration to an unauthorized third party, but the capability is high-risk.
- External report
- View on VirusTotal