Back to skill
Skillv1.21.1
VirusTotal security
Atxp · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:37 AM
- Hash
- 5e0075376ac1333997aeaa6b93b2ed5d6779bb1787dc9fff0d006f3831162152
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: atxp-cli Version: 1.21.1 The skill is classified as suspicious primarily due to its reliance on `npx atxp@latest` for runtime code download and execution from the npm registry, as explicitly stated in SKILL.md. This introduces a significant supply chain vulnerability, where a compromised `atxp` npm package could lead to arbitrary code execution. While the SKILL.md provides extensive and explicit security warnings and guardrails against prompt injection, credential exfiltration, and financial misuse, these are defensive measures against potential misuse or external attacks, not evidence of malicious intent within the skill bundle itself. The core risk lies in the dynamic fetching and execution of external code, which, despite transparency, elevates it beyond benign.
- External report
- View on VirusTotal