Back to skill
Skillv1.0.0
VirusTotal security
agent-init · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:06 AM
- Hash
- 9520018739264627865ae61be8b598a33805183a847989d84175d7ec073bb8ab
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: whois Version: 1.0.0 The skill automates OpenClaw agent workspace initialization but employs several high-risk patterns. Specifically, `scripts/check-env.sh` and `SKILL.md` utilize `curl | sh` to download and execute a remote installation script for the 'uv' package manager from astral.sh. Furthermore, the skill performs broad filesystem writes and `docker exec` commands to modify core agent instruction files (like `SOUL.md` and `AGENTS.md`). While these capabilities are plausibly required for the stated purpose of workspace setup, the use of unverified remote execution and the potential for injecting malicious instructions into the agent's permanent configuration via the interactive interview phase constitute significant security risks.
- External report
- View on VirusTotal