Back to skill
Skillv1.0.0
VirusTotal security
me.txt · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:33 AM
- Hash
- dd026069aeea3553fc12274fb39c8741d076227eb9872295afc36dd24acafb3c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: me-txt Version: 1.0.0 The skill instructs the AI agent to execute external commands using `npx create-me-txt` in `SKILL.md`. While the stated purpose of creating, fetching, and validating `me.txt` files appears benign, relying on `npx` to download and run arbitrary code from the npm registry introduces a significant supply chain vulnerability. This allows for potential remote code execution (RCE) if the `create-me-txt` package (or a typosquatted version) were to become malicious, making it a high-risk capability without direct evidence of intentional malice.
- External report
- View on VirusTotal