Back to skill
Skillv1.0.2
VirusTotal security
Haggle Protocol · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:56 AM
- Hash
- 4b20a5d05d77c613b799bf2351f5f45ff32ff1695baa6e82db1b1f892c927729
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: haggle-protocol Version: 1.0.2 The skill is classified as suspicious due to its requirement for a sensitive `HAGGLE_PRIVATE_KEY` to perform on-chain financial transactions and its reliance on installing a global npm package (`@haggle-protocol/mcp`) via `npm install -g` in `scripts/setup.sh`. While the `SKILL.md` provides extensive security warnings, claims local-only signing, and explicitly lists external endpoints, the inherent risks of handling private keys for real-money transactions and the potential for supply chain compromise of the npm package elevate it beyond benign. Additionally, the `SKILL.md` explicitly states that the underlying smart contracts are 'Not audited', adding to the overall risk profile.
- External report
- View on VirusTotal