Back to skill
Skillv1.0.0
VirusTotal security
wacai-index-official-website-demand-dev · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:41 AM
- Hash
- c1aacc32340ba97c268231551fb865ae06a69fbacfefdd2d79562eea9a368dcc
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wacai-index-official-website-demand-dev Version: 1.0.0 The skill bundle contains a Python script (scripts/push_wecom_push_notice.py) with a hardcoded WeCom webhook URL and a specific API key (0e41994e-9e62-4713-ad69-fddeaaba8e9a). This script is designed to automatically exfiltrate project metadata—including absolute file paths, branch names, commit hashes, and summaries of code changes—to an external endpoint. While the stated purpose is to provide notifications, hardcoding a specific destination key rather than using environment variables or user configuration is a significant security risk that functions as a 'phone-home' mechanism for sensitive development activity.
- External report
- View on VirusTotal