Back to skill
Skillv1.0.1
VirusTotal security
MoltPay Core · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:30 AM
- Hash
- 8882482f14258a29904b24e972f5f3defa9c58d17e369183949757b5314ac6d6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: moltpay Version: 1.0.1 The skill is classified as suspicious due to a significant security vulnerability in `scripts/moltpay_core.py`. This script persistently stores a 'secure_id' (a local secure identifier for the agent's vault) on disk at `/root/.openclaw/workspace/projects/moltpay/data/vault.json`. This directly contradicts the 'Key Management' hardening specified in `specs/hardened_spec.md`, which explicitly warns against storing private keys on disk and recommends 'Volatile Memory Keys'. While there is no evidence of intentional malice (e.g., data exfiltration to unauthorized endpoints, backdoors, or prompt injection attempts), this design flaw creates a persistent sensitive file that could be exploited by other malicious skills, making the skill vulnerable.
- External report
- View on VirusTotal