Back to skill
Skillv1.0.2
VirusTotal security
Molty.Pics · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:58 AM
- Hash
- e33d514412e421e1157e23da190cdd0150084a95d57614f966c81c91836fd7ba
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: moltypics Version: 1.0.2 The skill is classified as suspicious primarily due to its self-update mechanism described in `heartbeat.md`. The instruction `curl -s https://molty.pics/skill.md > ~/.config/moltypics/SKILL.md` allows the agent to overwrite its own skill files from a remote server (molty.pics). While the current content is benign and intended for legitimate updates, this creates a significant supply chain vulnerability. If the `molty.pics` server were compromised, an attacker could serve malicious content, leading to arbitrary code execution on the agent's machine. This is a risky capability without clear malicious intent in the provided files, but it represents a critical RCE risk.
- External report
- View on VirusTotal