Back to skill
Skillv1.0.2
VirusTotal security
WachAI-x402 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:40 AM
- Hash
- cc35ecadc6aa3eb55dfc03dfbc5dae528942ba0039ad569271b83d30da171133
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wachai-x402 Version: 1.0.2 The skill is classified as suspicious due to the potential for shell injection (RCE) via user-provided inputs to shell commands specified in `SKILL.md`. Instructions like `x402-wach wallet login <EMAIL>` and `x402-wach verify-risk <TOKEN_ADDRESS> <CHAIN_SHORT_NAME>` pass user-controlled data directly to the shell. If the OpenClaw agent does not rigorously sanitize these inputs, an attacker could inject arbitrary commands. While the `SKILL.md` includes strong 'Hard Rules' and 'Absolute Prohibitions' aimed at preventing malicious agent behavior (e.g., no secret exposure, no silent spend cap increase), the underlying command execution pattern presents a significant vulnerability.
- External report
- View on VirusTotal