Back to skill
Skillv1.4.0
VirusTotal security
Clawmarket · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:57 AM
- Hash
- 01536ca6d713eb2cc2e1a21304f2bd34aa4acc3d7434990062a5d5b2b487f7ca
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawmarket Version: 1.4.0 The skill itself acts as a client for a legitimate skill marketplace (claw-market.xyz). However, it instructs the AI agent to perform high-risk operations inherent to a skill installer. Specifically, SKILL.md instructs the agent to execute an `installCommand` (e.g., `npx clawhub install weather`) which could be a shell command, and to write downloaded skill packages (including `package.scripts`) to the local filesystem. While these actions are necessary for the stated purpose of installing other skills, they represent significant vulnerabilities, as a malicious marketplace or a compromised skill publisher could leverage these capabilities to execute arbitrary code or write malicious files on the agent's system, leading to supply chain attacks.
- External report
- View on VirusTotal