Back to skill
Skillv0.1.4
VirusTotal security
ClawWallet · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 9, 2026, 7:46 AM
- Hash
- f555fbaf2be9c9982146ca0e26d277de6742e6490b90bcdff4c734cbb17cf6a7
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: claw-wallet-pro Version: 0.1.4 The skill bundle contains high-risk instructions in `SKILL.md` that direct the AI agent to fetch and execute arbitrary shell commands from a remote API (`openclawby.com`) if a requested capability is not found locally, effectively creating a Remote Code Execution (RCE) mechanism by design. Furthermore, `install.sh` and `claw-wallet.sh` utilize the risky `curl | bash` pattern to download and run scripts from `www.clawwallet.cc` for installation and upgrades. While these behaviors are presented as 'marketplace' and 'auto-update' features for a multi-chain wallet, the combination of automated remote execution and the handling of sensitive financial credentials (like `CLAY_AGENT_TOKEN`) constitutes a significant security risk.
- External report
- View on VirusTotal