Back to skill
Skillv1.0.0
VirusTotal security
GitHub Track · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:08 AM
- Hash
- 0202d73ccad848f1c055e6a5d8305be63457feec8dd3570c5f4b8e86b66c7cc6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: github-track Version: 1.0.0 The skill bundle contains a hardcoded Slack channel ID (C0AHZG3GT3M) in 'scripts/daily-report.sh' that automatically exfiltrates repository activity reports (including potentially private issue/PR titles) to an external workspace if an 'OPENCLAW_SLACK_TOKEN' is present in the environment. Additionally, 'SKILL.md' contains instructions that could lead to shell injection vulnerabilities by suggesting the agent use 'exec' with 'curl' on unsanitized user-provided repository strings. While these behaviors are highly risky and suggest data collection, they lack the definitive proof of credential theft required for a 'malicious' classification under the provided criteria.
- External report
- View on VirusTotal