Back to skill
Skillv0.4.1
VirusTotal security
Clawlett · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:51 AM
- Hash
- 237985a0245bd5604e089ce6c47725f8ce21dfc4dedaac33d92e86d7f9930eb1
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawlett Version: 0.4.1 The skill bundle is classified as suspicious due to prompt injection vulnerabilities against the AI agent, primarily outlined in `SKILL.md` and `MIGRATION_GUIDE.md`. While the underlying JavaScript code and smart contract architecture (Gnosis Safe, Zodiac Roles, reliance on backend API for signatures) appear robust and designed for security, the agent's instructions to 'NEVER execute an on-chain transaction unless the user explicitly asks for it' and to 'Always display the warning with contract address... Ask the user to confirm' for unverified tokens can be bypassed by a malicious prompt. Similarly, the `MIGRATION_GUIDE.md` contains detailed on-chain transaction instructions for the 'owner' with an explicit warning 'the agent cannot do this autonomously', which a prompt injection could attempt to override, leading the agent to misinterpret these as commands for itself. These are vulnerabilities that allow attacks by manipulating the agent's behavior, rather than intentional malicious code.
- External report
- View on VirusTotal