Back to skill
Skillv0.1.0
VirusTotal security
Settld MCP Payments · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:12 AM
- Hash
- 41dd1738b5f532be11afeed7154389a2784caf57475dc10854ebf28b7a58a2ac
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: settld-mcp-payments Version: 0.1.0 The skill bundle is classified as suspicious due to the use of `npx -y settld-mcp` in `SKILL.md` and `mcp-server.example.json`. While `npx` is a legitimate tool, the `-y` flag allows automatic download and execution of an external npm package (`settld-mcp`) without explicit confirmation, introducing a supply chain risk. If the `settld-mcp` package were compromised, it could lead to arbitrary code execution. There is no direct evidence of malicious intent within the provided files, but this execution model represents a significant vulnerability.
- External report
- View on VirusTotal