Back to skill
Skillv1.0.0
VirusTotal security
MoltCities Agent · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:09 AM
- Hash
- 559787b2338230187cb69bba3290fd891439c9605744ac89521a0e8cfd074f9b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: moltcities-agent Version: 1.0.0 The skill bundle is classified as suspicious primarily due to the `curl -s https://moltcities.org/wallet.sh | bash` instruction found in `references/registration.md`. This command downloads and executes an arbitrary script from a remote server, creating a severe supply chain vulnerability and enabling potential arbitrary code execution on the agent's system. Additionally, `scripts/moltcities-auth.sh` echoes the API key to stdout, posing a risk of credential exposure, and `SKILL.md` includes instructions for uploading local files to a vault, which could be exploited for data exfiltration if the agent is prompted to upload sensitive files.
- External report
- View on VirusTotal