Back to skill
Skillv1.0.1
VirusTotal security
Oracle · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:00 AM
- Hash
- 68cd715a31305f95e0fcbd5537bcad0a8d14b16796b1b56da09fdea75f097458
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: oracle Version: 1.0.1 The skill is classified as suspicious due to its reliance on `npx -y` to execute an external npm package (`@steipete/oracle`), which introduces a supply chain risk. It performs broad file access (e.g., `src/**`) and sends these files to external AI services via network calls, a high-risk operation despite explicit warnings in SKILL.md against sharing secrets. Additionally, the 'remote browser host' feature allows configuring a server to listen on `0.0.0.0`, which is a broad network exposure.
- External report
- View on VirusTotal