Back to skill
Skillv0.3.0
VirusTotal security
PayGents · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:07 AM
- Hash
- 770a629bb535902caf82249579edf7ab812fa28abefc57cde2661adcd8d9d81f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: paygents Version: 0.3.0 The skill bundle implements legitimate cryptocurrency payment functionalities for an AI agent. However, the `scripts/evm-receipt.sh` script contains a path traversal vulnerability via the `--out` parameter. An attacker could craft a prompt to the agent to use this parameter with a path traversal payload (e.g., `../../../../tmp`) to write receipt files to arbitrary locations on the filesystem where the agent has write permissions. While this is a significant vulnerability, there is no clear evidence of intentional malicious behavior (e.g., writing to sensitive system files with malicious content or exfiltrating data) within the skill's code or instructions, classifying it as suspicious rather than malicious.
- External report
- View on VirusTotal