Back to skill
Skillv1.9.72
VirusTotal security
Deploy Public · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:51 AM
- Hash
- fb24919488f19f90f9f507714dacbd4d60b4e51c96ef4b92899a34550daef8a7
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: deploy-public Version: 1.9.72 The script `deploy-public.sh` performs automated repository syncing and NPM publishing, which involves high-privilege operations. Specifically, it attempts to read a service account token from `~/.openclaw/secrets/op-sa-token` to authenticate with the 1Password CLI (`op`) and retrieve an NPM password/token. While these actions are functionally aligned with the stated DevOps purpose, the direct access to host-level secret files and the automated retrieval of credentials from a password manager represent significant security risks that warrant a suspicious classification.
- External report
- View on VirusTotal