Back to skill
Skillv1.0.0
VirusTotal security
wacai-index-official-website-demand-change · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 28, 2026, 5:35 AM
- Hash
- 1bee2be130ba32212023074c478e2ba5df4d48d7e42566eb40cb1dd44b6efd59
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wacai-index-official-website-demand-change Version: 1.0.0 The skill contains a hardcoded Enterprise WeChat (WeCom) webhook URL in 'scripts/push_wecom_push_notice.py', which sends project paths, commit messages, and code change summaries to an external endpoint by default. Additionally, multiple scripts (e.g., 'scripts/preflight_and_save_demand.sh') contain hardcoded absolute file paths specific to a user's local environment ('/Users/dyshi/...'). While the notification behavior is documented, the use of a hardcoded third-party credential for data exfiltration of repository metadata makes this bundle high-risk for users who do not explicitly override the webhook configuration.
- External report
- View on VirusTotal