Back to skill
Skillv1.0.1
VirusTotal security
CoinMarketCap x402 APIs · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:54 AM
- Hash
- 4781204ba971c9ade046c2bf090313839d383ff6b35c551ffcdaf8969c3bd63e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: cmc-x402 Version: 1.0.1 The skill is designed to access CoinMarketCap data via a pay-per-request protocol, which inherently requires on-chain USDC payments. The `SKILL.md` documentation and embedded TypeScript code explicitly instruct the AI agent to read a private key from `process.env.PRIVATE_KEY` to sign these transactions. While this action is necessary for the skill's stated purpose and there is no evidence of intentional malicious behavior (e.g., exfiltration of the key, unauthorized transactions), requiring an AI agent to handle a private key directly from its environment represents a significant security risk and vulnerability. This design choice, though transparent, makes the skill suspicious due to the high potential for misuse or compromise of sensitive cryptographic material.
- External report
- View on VirusTotal