Back to skill
Skillv1.0.9
VirusTotal security
Boiling Point · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:23 AM
- Hash
- ac88525ecd3c80b9078e14361dda016ace38d3e56a670199689c394fe638f9f5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: boiling-point Version: 1.0.9 The skill is classified as suspicious due to its reliance on shell command execution (`curl`, `jq`) and interaction with an external financial API (`https://api.tokenlayer.network`) for on-chain cryptocurrency transactions. While the `SKILL.md` instructions themselves do not contain explicit malicious prompt injection attempts or instructions for harmful behavior, the inherent capability of the agent to construct and execute shell commands based on user input introduces a significant attack surface for potential shell injection vulnerabilities. The skill's purpose involves high-risk financial operations, and although it includes positive security controls like `disableModelInvocation: true` and instructions for user approval before sending transactions, the direct execution of network and on-chain commands elevates its risk profile beyond benign.
- External report
- View on VirusTotal