Back to skill
Skillv1.0.0
VirusTotal security
Capture Website · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:31 AM
- Hash
- c860985fd42cee33e6d53457c479a344a938d54b23ea0821e35cb93c7fa2c48c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: capture-website Version: 1.0.0 The skill is classified as suspicious due to two main factors found in `SKILL.md`. First, it instructs the agent to perform a global npm package installation (`npm install -g capture-website-cli`), which introduces a supply chain risk by executing arbitrary code from a public registry. Second, the skill executes a shell command (`capture-website <URL>`) with a user-provided URL, creating a potential shell injection vulnerability if the agent does not adequately sanitize the input URL before execution. While these actions are plausibly needed for the skill's stated purpose, they represent significant risky capabilities and vulnerabilities, respectively, without clear evidence of intentional malicious exploitation by the skill itself.
- External report
- View on VirusTotal