Back to skill
Skillv1.0.0
VirusTotal security
toolchain-bootstrap · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 20, 2026, 5:56 AM
- Hash
- 6a06dc230ad1405bec6a20be6f1e55c22fd9eef8635a9292f6a65f7cafc6c902
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: toolchain-bootstrap Version: 1.0.0 The skill downloads and extracts a large (~590MB) unverified binary archive from a personal GitHub repository (TurinFohlen/openclaw-toolchain) and modifies the user's ~/.bashrc for environment persistence. While these actions are consistent with the stated purpose of bootstrapping a development toolchain, the lack of checksum/signature verification for the remote payload and the automated modification of shell profiles represent a significant supply chain risk. Primary files: scripts/bootstrap.sh and scripts/setup-env.sh.
- External report
- View on VirusTotal