Back to skill
Skillv0.1.0
VirusTotal security
OpenMM Exchange Setup · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:34 AM
- Hash
- 4889c6a1bda2c922bbd8d8a42edfab69a4a8e6793826f8af2fbe3cc7d59c3e37
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: openmm-exchange-setup Version: 0.1.0 The skill guides users through configuring API credentials for cryptocurrency exchanges, which inherently involves handling sensitive information. It instructs the agent to install and run external npm packages via `npx` (`@3rd-eye-labs/openmm`, `@qbtlabs/openmm-mcp`), introducing a supply chain risk. More critically, the `SKILL.md` includes a troubleshooting step (`sudo ntpdate time.google.com`) that involves executing a `sudo` command. While the command itself is for a legitimate purpose (system clock synchronization), its presence in an agent-executed markdown file represents a potential privilege escalation or arbitrary command execution vulnerability if the agent executes `sudo` commands without explicit user consent or proper sandboxing. There is no clear evidence of intentional malicious behavior like data exfiltration or backdoors.
- External report
- View on VirusTotal