Back to skill
Skillv0.1.5
VirusTotal security
Lukso Agent Comms · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:21 AM
- Hash
- c4fa5c661e9b2a8e87d0920a6d202df97cc4549c2e72592f1c7e55b7cfffc6a6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: lukso-agent-comms-firm Version: 0.1.5 The skill is classified as suspicious due to a critical security vulnerability found in `live-demo.js`. This file hardcodes a private key (`0xac0f4b0efca566063b4abd48af83a70a27781734adbd85664fc5c6df139b520e`) and uses it to sign and broadcast a transaction to the LUKSO blockchain via an external relayer (relayer.mainnet.lukso.network). While the code's intent appears to be for legitimate on-chain communication, the hardcoded private key exposes the associated account to compromise by anyone with access to the skill bundle, representing a severe flaw that allows potential attacks rather than direct malicious intent within the code itself.
- External report
- View on VirusTotal