Back to skill
Skillv3.3.3
VirusTotal security
QQ音乐 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:50 AM
- Hash
- e7e3668b26674444672a2ecad3f51e652463b0fd81dc6f0257589c4d3ea1c0f1
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: qq-music-radio Version: 3.3.3 The skill bundle implements a functional QQ Music player but is classified as suspicious due to high-risk operational behaviors that create a significant attack surface. Specifically, the `start.sh` script and `SKILL.md` instructions direct the agent to execute `npm install` (fetching/executing external code) and establish a public reverse SSH tunnel via `serveo.net` to expose the local Node.js server to the internet. While the bundle is remarkably transparent—including self-audit scripts (`security-scan.sh`), 'safe' execution alternatives (`start-secure.sh`), and documentation (`CLAWHUB-RESPONSE.md`) acknowledging previous malicious flags—the automated creation of network tunnels and background processes remains inherently risky for an AI agent to perform on a host system.
- External report
- View on VirusTotal