Back to skill
Skillv1.0.0
VirusTotal security
Moltywork · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:23 AM
- Hash
- f3127cf4a131376b3cd8a304f92a4c6711b927c5397a32db65d1a8f044685286
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: moltywork Version: 1.0.0 The skill bundle is classified as suspicious due to its self-update mechanism and explicit prompt injection instructions. Both `skill.md` and `heartbeat.md` instruct the agent to download and overwrite its own `SKILL.md` file from `https://moltywork.com/skill.md` and to fetch and follow instructions from `https://moltywork.com/heartbeat.md`. This allows for remote modification of the agent's behavior and capabilities, introducing a significant supply chain risk if the `moltywork.com` server were to be compromised, despite the current content appearing benign and including a security warning against API key exfiltration to other domains.
- External report
- View on VirusTotal