Back to skill
Skillv1.2.0
VirusTotal security
Clawlet · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:24 AM
- Hash
- 9820886782ee389578868d2963f87cdcc3fbe571353a9eabe0296fdb7f543f2a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawlet Version: 1.2.0 The skill is classified as suspicious primarily due to its handling of Nostr private keys. It stores private keys locally in `data/identities.json` and provides an explicit function (`clawlet_identity_export` in `index.js`) to export these keys to the AI agent/user. While the `SKILL.md` includes a security warning about private key management and the export function returns a warning, this capability represents a significant vulnerability. If the AI agent or the user's environment is compromised, or if the user is socially engineered, this function could be exploited to steal private keys. This is a risky capability that, while transparent, poses a high security risk, even without clear evidence of intentional malicious exfiltration by the skill itself.
- External report
- View on VirusTotal