Back to skill
Skillv4.0.0
VirusTotal security
Agent Swarm · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:18 AM
- Hash
- 6ef25780afbf1bcd7c6230b99673e6985e016c3c3047b6cc9a781d4282226222
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: xmtp-agent-swarm Version: 4.0.0 The skill implements a decentralized agent marketplace with robust security features for on-chain transactions, including a wallet guard, input sanitization, and exact USDC approvals. However, the `scripts/push-state.sh` and `cron-message.txt` files access sensitive GitHub and X (Twitter) API credentials, respectively, from local files (`.gh_classic_token`, `.x_credentials`) and use them to interact with external services. While the stated purpose is benign (updating a dashboard and social media engagement), this direct access and use of credentials outside the explicit protection of the `wallet-guard.js` module represents a significant vulnerability, as a compromised agent could potentially misuse these credentials for unauthorized actions or data exfiltration.
- External report
- View on VirusTotal