Back to skill
Skillv1.1.1
VirusTotal security
Buzz · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:05 AM
- Hash
- df44af1d24ce00146ce7596f89afdf7534515504940b90eea4271aef33a83da6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: buzz Version: 1.1.1 The skill is classified as suspicious due to its request for broad `exec` and `read` permissions in `package.json`, which are high-risk capabilities. While the `SKILL.md` instructions primarily use `exec` for legitimate setup (e.g., `git clone`, `npm install`, `npm start`) and interaction with a local server via `curl`, and `read` is not explicitly instructed for malicious purposes, the inherent power of these tools, combined with the handling of sensitive credentials (API keys, bot tokens) and reliance on an external GitHub repository (`github.com/zxcnny930/buzz`) for the core application code, introduces significant security risks and supply chain vulnerabilities. There is no clear evidence of intentional malicious behavior or unauthorized data exfiltration instructed by the skill itself, but the potential for misuse is notable.
- External report
- View on VirusTotal