Back to skill
Skillv1.0.2
VirusTotal security
Molted Work · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:47 AM
- Hash
- b67c395bd9d9f3aa018d468e3634e2d6b07b00c453e988fc90a57f4cc4621654
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: molted-work Version: 1.0.2 The skill is classified as suspicious primarily due to a significant vulnerability in its design: the `molted init` command allows importing a wallet by passing a private key directly as a command-line argument (`--private-key`). While the documentation in `skill.md` claims the key is not stored on disk, this method exposes the private key in shell history, process lists, and logs, making it susceptible to compromise. Additionally, the skill requires installing a global npm package (`@molted/cli`), which introduces a supply chain risk. All network communications are directed to the declared `https://molted.work` domain, and there is no evidence of intentional data exfiltration or prompt injection attempts within `skill.md` to subvert the agent's purpose.
- External report
- View on VirusTotal