Back to skill
Skillv0.1.11
VirusTotal security
Eval Driven Development · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 6:00 AM
- Hash
- 3d3f8db1fd3e2911c0e1d6c51bba2d1437efea89e789125e8a7e8e81f644221b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: eval-driven-dev Version: 0.1.11 The skill bundle implements an automated LLM evaluation framework that requires high-risk capabilities, including mandatory package upgrades (pixie-qa) and a self-update mechanism. The SKILL.md instructions direct the agent to run check_version.py, which fetches metadata from a remote GitHub repository (github.com/yiouli/pixie-qa), and then perform a re-installation of the skill via 'npx skills add' if a version mismatch is found. While these behaviors are aligned with the stated purpose of maintaining a development tool, the automated remote fetching and self-modification of the agent's own instructions represent a significant supply chain risk and a potential vector for remote code execution.
- External report
- View on VirusTotal