Back to skill
Skillv0.3.0
VirusTotal security
ClawPulse · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:17 AM
- Hash
- bdb0d0d933fb1665873fa8904895ca5d4d04879c17871e6c90a18c0fec04bbdd
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawpulse Version: 0.3.0 The skill instructs the agent to extract a GitHub token using `gh auth token` and store it in `~/.clawpulse/config.json` (SKILL.md). While the stated purpose is to authenticate with the `clawpulse.vercel.app` analytics dashboard, programmatic handling of sensitive credentials by an AI agent is a high-risk operation. The skill also installs a global npm package (`openclaw-pulse`) and sets up cron jobs for persistent data collection and exfiltration of aggregate token stats to `clawpulse.vercel.app`. Although the intent appears to be benign analytics, the direct access and storage of a GitHub token makes this skill suspicious due to the potential for misuse or vulnerability.
- External report
- View on VirusTotal