Back to skill
Skillv1.0.0
VirusTotal security
数字宠物 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:00 AM
- Hash
- 2f63192b2670042cafaae4970d3d092de62d4a0670b513334fb6e7be9e3608d6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: digital-pet Version: 1.0.0 The skill bundle is classified as suspicious due to the `scripts/desktop_pet.py` component. This Python script uses `PyQt5` and `QWebEngineView` to create a desktop pet, exposing a `PetBridge` object to JavaScript via `QWebChannel`. The `PetBridge` includes a `moveToMouse(x, y)` method, allowing JavaScript to directly control the desktop window's position. While the provided `pet_widget.html` does not actively utilize this method for its primary movement logic (which is handled by Python's `updatePosition` based on `QCursor.pos()`), exposing direct window manipulation to a webview creates a potential vulnerability. If the `pet_widget.html` were compromised (e.g., via XSS or by loading untrusted remote content), an attacker could potentially move the application window arbitrarily on the user's screen, including off-screen to hide it, or to cover other UI elements. This is a risky capability without clear malicious intent, aligning with the 'suspicious' classification.
- External report
- View on VirusTotal