Back to skill
Skillv1.0.0
VirusTotal security
Token Research · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:34 AM
- Hash
- 801a2a11dcbdfc9d8835d12a6ede6e4a7ba2af93196bace98a1790ae4feb3a81
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: token-research Version: 1.0.0 The skill bundle contains instructions in SKILL.md that create a shell injection vulnerability by directing the AI agent to execute a local script (~/workspace/scripts/ape-call.sh) using unsanitized data (ticker symbols and narratives) fetched from external APIs like DexScreener and Twitter. Furthermore, the instructions mandate autonomous 'deep dives' and notifications without user confirmation, which increases the risk of the agent being manipulated by malicious content found in external token metadata or social media posts (prompt injection). The reliance on an external, non-bundled script for 'MANDATORY' alerts is also a significant security and functional dependency.
- External report
- View on VirusTotal