Back to skill
Skillv1.0.0
VirusTotal security
Merge Check · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:07 AM
- Hash
- 01167830ca47fa84bc87958f7ec51ab9a5525ebf7edbf9dce9d52731f1a72a97
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: merge-check Version: 1.0.0 The skill is classified as suspicious due to its reliance on executing a shell script (`scripts/merge-check.sh`) that performs extensive network calls to the GitHub API using the `gh` CLI. While the script's purpose is aligned with gathering data for PR analysis and shows no explicit malicious intent (e.g., data exfiltration, persistence, or arbitrary code execution), the use of `gh api` implies interaction with an external service and relies on the `gh` CLI's authentication token, which may possess broad permissions. This represents a powerful capability and potential attack surface if the underlying token is over-privileged or the script were to be modified, aligning with the 'risky capabilities without clear malicious intent' threshold.
- External report
- View on VirusTotal