Back to skill
Skillv1.0.0
VirusTotal security
People Investigation · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:07 AM
- Hash
- 9f99ad641b5d754533624f0c92f644e3400d47c19dd1a5c7568a47720b6975c3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: pi Version: 1.0.0 The skill is classified as suspicious due to explicit instructions in `SKILL.md` to access highly sensitive local user data. Specifically, Phase 1 of the 'Investigation Protocol' instructs the AI agent to `grep` the user's `data/google-takeout/` directory for contacts, Google Pay transactions, and call history. This directly contradicts the 'Privacy & Ethics' section, which states, 'Only use publicly available information.' While there is no evidence of data exfiltration to an external attacker, this instruction represents a significant privacy violation and a design flaw that allows the agent to access private user data without clear, specific consent for this action, going beyond the scope of 'public records' OSINT.
- External report
- View on VirusTotal