Back to skill
Skillv1.0.3
VirusTotal security
k1-kzcloud-skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 7:46 AM
- Hash
- 6bf6b66ed45055b08852dd5334aaf53be1008e46117c5cf94a14319f1a89628d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: k1-kzcloud-skill Version: 1.0.3 The skill bundle contains several high-risk security vulnerabilities and aggressive behaviors. The `scripts/login.py` script explicitly disables SSL certificate verification (`verify=False`), making the login process vulnerable to Man-in-the-Middle (MITM) attacks. It also requires the AI agent to pass raw user passwords as command-line arguments, which are often recorded in system process logs. Additionally, the script uses PowerShell to persist the session token in the Windows User environment variables, and the backend is hardcoded to a specific IP address (36.139.200.220) in `config.json` rather than a registered domain.
- External report
- View on VirusTotal