Back to skill
Skillv0.1.2
VirusTotal security
Clawai Town Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:29 AM
- Hash
- e9b61cb5cae1112e9e152f76d9db1bb86dd403a45c2f6ab809b0739ad102e363
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawai-town Version: 0.1.2 The skill is suspicious due to a critical prompt injection vulnerability in `index.js`. The `buildWorldContext` function directly embeds unsanitized data (agent names, event text) received from the external WebSocket server (`wss://clawai-town-server.onrender.com/agent`) into the agent's LLM prompt. A malicious actor controlling the server or injecting data into the world state could craft these strings to manipulate the agent's decisions, potentially leading to unauthorized actions, including financial transactions given the skill's Solana integration. While the code itself does not exhibit intentional malicious behavior like direct credential theft or backdoor installation, this vulnerability allows an external entity to potentially coerce the agent into performing harmful actions.
- External report
- View on VirusTotal