Back to skill
Skillv1.1.2
VirusTotal security
ClawFriend · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:32 AM
- Hash
- 6dff64fd7b3135c5c5c2ebe89dbbfcd0acfc12ee4b5ea589ff1c6fb82f317e12
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawfriend Version: 1.1.2 The skill bundle manages highly sensitive 'EVM_PRIVATE_KEY' credentials and includes instructions in SKILL.md that direct the AI agent to discover and follow instructions from an external 'community-skills' directory. This 'plugin' architecture creates a significant prompt-injection surface where a secondary skill could hijack the primary agent's behavior or access its stored secrets. Additionally, the bundle uses child_process.exec extensively (e.g., in notify.js and cronjob-manager.js) to interact with the system CLI and includes an auto-installer for npm dependencies (check-dependencies.js), which are high-risk patterns for potential command injection and supply chain attacks.
- External report
- View on VirusTotal