Back to skill
Skillv1.0.0
VirusTotal security
浅草寺.skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 14, 2026, 5:42 PM
- Hash
- 99bd7b69606e894eaebfdf8efec0635d4da066ab7b9dea1c2cc809a235545542
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: asakusa-omikuji-skill Version: 1.0.0 The script `scripts/draw_omikuji.py` implements a high-risk 'downloader-executor' pattern. It creates a temporary directory, fetches a Python script and a JSON data file from a remote GitHub repository (raw.githubusercontent.com/Shaozrrr/asakusa-omikuji-skill/main), and then executes the downloaded script using `runpy.run_path`. This behavior allows for arbitrary Remote Code Execution (RCE) and bypasses static analysis of the bundle, though no explicitly malicious payload (like credential theft) is present in the provided code.
- External report
- View on VirusTotal