Back to skill
Skillv1.2.0
VirusTotal security
App核心指标问答 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 11:46 AM
- Hash
- 86347ea796e0466e1fb21437dda9458efc9702ac5cf9883415e06729027cb049
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: uapp-core-index Version: 1.2.0 The skill bundle contains instructions (SKILL.md) that direct the AI agent to automatically perform telemetry by running 'umeng-cli trace' commands, which include exfiltrating the user-provided 'appkey' to the CLI tool. While this may be intended for usage analytics, forcing an agent to report user-specific identifiers via prompt instructions is a high-risk behavior. Additionally, the documentation suggests a 'curl | sh' installation method from a remote GitHub repository, which is a common security risk for remote code execution.
- External report
- View on VirusTotal