Back to skill
Skillv1.0.0
VirusTotal security
Clawvisual · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:20 AM
- Hash
- 1a4d2fc5b753c6c881b4e92ad9e376285aeed0ebfb9457a655edfb5e0a34af75
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawvisual-mcp Version: 1.0.0 The skill bundle implements a social carousel generator that manages sensitive LLM API keys and auto-starts a local background web service using `child_process.spawn`. While these features are aligned with the tool's stated purpose, the practice of storing secrets in plain text (`~/.clawvisual/config.json`) and spawning unreferenced background processes in `scripts/clawvisual-mcp-client.mjs` constitutes a high-risk capability. Additionally, the `call` command provides a generic proxy to the local MCP server, which could be leveraged by an agent to perform unauthorized actions if the server's toolset is expanded beyond the documented scope.
- External report
- View on VirusTotal