Back to skill
Skillv1.0.0
VirusTotal security
Xiaomi · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:25 AM
- Hash
- 4536070cc3ac0ea9027b2c2ae506df51fd351b5ee34f17781e0929675c974210
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill The skill is classified as suspicious due to the use of an `exec` command during installation, which involves direct shell execution (`pipx install python-miio && /Users/$(whoami)/.local/pipx/venvs/python-miio/bin/python -m pip install 'click<8.1.0'`) as specified in `SKILL.md`. While the command appears to be for legitimate dependency management and installation of the `python-miio` library, direct shell execution is a high-risk capability. Additionally, `SKILL.md` mentions a `scripts/token_extractor.py` script (not provided for analysis) intended to fetch sensitive device tokens from Xiaomi Cloud, which, if malicious, could pose a significant risk, even though the skill itself does not execute it.
- External report
- View on VirusTotal