Back to skill
Skillv3.0.0
VirusTotal security
Xhs Cover Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:05 AM
- Hash
- b6b705b252aa5579224b26676797ea224a0336263b843f0901df50dfff2f63ee
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: xhs-cover Version: 3.0.0 The skill utilizes a shell script (`xhs-cover.sh`) to execute an external NPM package via `npx`, which introduces supply chain risks by downloading and running remote code. It also handles API keys stored in the user's home directory (`~/.xhscover`) and transmits data to an external service (`api.xhscover.cn`). While these behaviors are documented and aligned with the stated purpose of generating images, the use of shell execution, credential management, and external network calls constitutes a high-risk attack surface as defined in the analysis criteria.
- External report
- View on VirusTotal