Back to skill
Skillv1.1.1
VirusTotal security
Sportsbook Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 3:52 AM
- Hash
- 4e3abf907aab97df23cf9419b3a45fd13e3c24b41b0bace4848d7bab5aa0e080
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: sportsbook Version: 1.1.1 The skill is classified as suspicious due to several vulnerabilities, primarily related to prompt injection risks and the handling of highly sensitive data. The `SKILL.md` instructs the AI agent to collect a 'betting perspective' (`USER_PERSPECTIVE`) which is then passed to the backend API via `register_helper.py`. This creates a prompt injection vector against the backend AI system. More critically, the `register_helper.py` script returns a wallet seed phrase upon successful registration, which the `SKILL.md` instructs the agent to display to the user. If the OpenClaw agent itself were compromised via prompt injection, it could be instructed to exfiltrate this seed phrase. Additionally, the skill is designed for significant autonomous operation (e.g., `poll_notifications.py` and `HEARTBEAT.md` integration), which, while intended, increases the attack surface if the agent is prompt-injected to perform unauthorized actions.
- External report
- View on VirusTotal