Back to skill
Skillv1.9.72
VirusTotal security
Wip Release · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 28, 2026, 4:18 AM
- Hash
- 21152dc4ae781791ea08466b0684a420002d13c2073464b3cbdee3c9faf38245
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wip-release Version: 1.9.72 The bundle provides a powerful release automation tool that handles high-value secrets and executes system-level commands. It explicitly requires access to a 1Password service account token (~/.openclaw/secrets/op-sa-token) and npm tokens to automate publishing. The core logic in core.mjs and cli.js involves executing various shell commands (git, npm, gh, op) and running local scripts (deploy.sh, test.sh, deploy-public.sh) found within the repository. While the code demonstrates security awareness—such as using execFileSync to mitigate command injection and redacting tokens from logs—the broad capability to exfiltrate credentials from 1Password and execute arbitrary local scripts makes it a high-risk tool in an agentic environment.
- External report
- View on VirusTotal