Back to skill
Skillv1.0.2
VirusTotal security
Potato Tipper · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:37 AM
- Hash
- 0b4dc8b8255d62777d7b16ce39c794ccecc4c146381598a84dbb23cd5d20210e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: potato-tipper Version: 1.0.2 The skill is classified as suspicious due to its direct handling of a user's private key and reliance on an external GitHub repository. The `SKILL.md` and `scripts/setup_potato_tipper.sh` explicitly instruct the AI agent to use a `PRIVATE_KEY` environment variable to sign and broadcast blockchain transactions via `forge script`. While the Solidity script (`SetupPotatoTipper.s.sol`) and the shell script appear to perform legitimate configuration actions for the 'Potato Tipper' application, the direct exposure and use of a private key by an AI agent represent a critical vulnerability. Additionally, the `setup_potato_tipper.sh` script performs a `git clone` from an external URL (`https://github.com/CJ42/potato-tipper-contracts.git`), introducing a supply chain risk if that repository were ever compromised. These are significant security risks, even without clear evidence of intentional malicious exfiltration or unauthorized actions within the provided code.
- External report
- View on VirusTotal