Back to skill
Skillv2.0.0
VirusTotal security
Skill Publish Adapter Real · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:04 AM
- Hash
- 08669c12345a66d812cdd956b502bdb6acbd5f17d28f76d171f2548f4e81b93d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skill-publish-adapter-real Version: 2.0.0 The skill bundle exhibits several red flags, including a significant discrepancy between the package name in package.json (@clawhub/skill-validator) and the skill name in SKILL.md (skill-publish-adapter), as well as inconsistent GitHub handles for the author. The SKILL.md file contains instructions for the AI agent to download and execute external shell scripts via curl from a third-party repository (github.com/puppetcat-fire), which is a high-risk pattern for remote code execution. While the tool claims to 'bypass' platform bugs to improve publishing success rates, this framing combined with the external script fetching and missing local source code (install.sh) warrants a suspicious classification.
- External report
- View on VirusTotal