Back to skill
Skillv0.1.0
VirusTotal security
Check Wallet · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:00 AM
- Hash
- 7b5dec06d82ceac4b30eb943f4d8632624e824958e9eaeb67ef93cbeb3437466
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: check-wallet Version: 0.1.0 The skill is designed for a legitimate purpose (checking wallet balances) and uses a restricted set of `npx` commands. However, it explicitly allows the agent to specify custom RPC endpoints (`--solana-rpc <url>`, `--evm-rpc <url>`) in `SKILL.md`. This creates a prompt injection vulnerability where a malicious prompt could instruct the agent to send public wallet data (addresses, balances) to an attacker-controlled RPC server for logging or tracking. Additionally, the phrase "execute immediately without user confirmation" in `SKILL.md` is a minor prompt injection attempt to bypass potential security prompts, though its effectiveness depends on the agent's implementation.
- External report
- View on VirusTotal