Back to skill
Skillv1.4.6
VirusTotal security
Assetclaw · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 19, 2026, 4:46 PM
- Hash
- 9e27643dd2f2ad34bb2eaedf136244a556f162a538114c18b4ea798b3fa81279
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: assetclaw Version: 1.4.6 The skill bundle implements an asset management client that uses high-risk credential handling patterns. Specifically, SKILL.md instructs the AI agent to write plaintext usernames and passwords to a temporary file (/tmp/assethub-claw-temp-session.json), and the helper script scripts/assethub_api.sh stores JWT tokens in /tmp/assethub-claw-session.json. While these behaviors are presented as session management features for the AssetHub API, storing sensitive credentials in predictable temporary directories is a significant vulnerability. The documentation also references a dynamic DNS endpoint (http://160ttth72797.vicp.fun/api) alongside a private IP (192.168.1.111), which is a common pattern for exposing internal services but increases the risk of credential exposure.
- External report
- View on VirusTotal