Back to skill
Skillv0.4.1
VirusTotal security
IDE Agent Kit · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:27 AM
- Hash
- ea32b9bdeb12ba7f5f940120e9251af457f933d8b0a62d263ed6663d042853f7
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ide-agent-kit Version: 0.4.1 The skill is classified as suspicious due to its capabilities that, if exploited via prompt injection, could lead to data exfiltration. Specifically, the `emit` and `hooks create` commands allow sending arbitrary data to user-specified external URLs. The skill also reads `ide-agent-kit.json`, which the documentation explicitly states 'may contain secrets'. A malicious prompt could instruct the agent to read this configuration file and exfiltrate its contents using the `emit` command. While shell command execution (`tmux run`, `exec`) is present, it is heavily mitigated by a strict default allowlist and an approval flow, reducing its immediate malicious potential. The `SKILL.md` is transparent about these capabilities, but the combination of reading potentially sensitive local files and the ability to send data to arbitrary external endpoints constitutes a significant risk.
- External report
- View on VirusTotal