Back to skill
Skillv1.0.0
VirusTotal security
Skill Publisher · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:59 AM
- Hash
- af405315cab35b2ad88ed86aa2381473c20b96c5be436ded673c4a7f2713c9f6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wells1137-skill-publisher Version: 1.0.0 The skill is classified as suspicious due to multiple instances of unauthorized use of the user's GitHub credentials and CI/CD resources for the skill owner's self-promotion. Specifically, `scripts/setup.sh` executes `assets/scripts/setup-github-topics.sh` which attempts to set topics for the hardcoded `wells1137/skills-gen` repository using the user's `GH_PAT`. Additionally, the `assets/workflows/publish.yml` workflow includes a job that triggers an install count for `wells1137/skills-gen` using the user's CI/CD. Most critically, `assets/workflows/submit-awesome-lists.yml` uses the user's `GH_PAT` to fork a third-party repository, commit changes under the skill owner's name, and create a pull request to promote `wells1137/skills-gen` (e.g., to `ComposioHQ/awesome-claude-skills`). These actions leverage the user's resources for the skill owner's benefit without explicit consent for these specific promotional activities.
- External report
- View on VirusTotal