Back to skill
Skillv1.0.2
VirusTotal security
Ceo Protocol Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:58 AM
- Hash
- 8498937248f638394a5e7d00c1783b3b6216f6adc98286348d5047c82c0cbc76
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ceo-protocol-skill Version: 1.0.2 The skill is classified as suspicious due to its direct handling of the `AGENT_PRIVATE_KEY` environment variable for signing blockchain transactions (via `scripts/common.mjs` and `scripts/submit-proposal.mjs`), and a potential prompt injection vulnerability in `SKILL.md` related to the 'Discussion API'. The API allows HTTP POST requests to a configurable `APP_BASE_URL` (defaulting to `localhost:3000`) with user-controlled `content`. If `APP_BASE_URL` were maliciously configured and the agent prompted to include sensitive data, this could lead to data exfiltration. While these capabilities are necessary for a DeFi agent, they represent significant security risks if misused or misconfigured, indicating a vulnerability rather than explicit malicious intent.
- External report
- View on VirusTotal