Back to skill
Skillv1.0.24
VirusTotal security
Optionns · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:01 AM
- Hash
- a916a74ef1a520d3173062c1ba59d2e978296bdd3e329efc7db8dcca0fcf68fb
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: sports Version: 1.0.24 The skill is classified as suspicious due to its reliance on a third-party API (https://api.optionns.com) to provide Solana transaction instructions, which are then signed and submitted locally by the agent. While the skill explicitly enforces 'devnet-only' operation via `signer.py` and `strategy.py` to prevent mainnet interaction, a compromised API could still issue malicious instructions for the devnet, potentially leading to loss of mock funds. The `SKILL.md` and `README.md` are transparent about the skill's operations and security model, including warnings against using mainnet wallets, and do not contain any prompt injection attempts. Input sanitization is present in `optionns.sh` for user-provided arguments, mitigating shell injection risks. The local storage of keypairs with `600` permissions is appropriate, and the use of `solders` for structured transaction signing is robust. The primary concern is the trust placed in the external API for transaction logic, which represents a vulnerability if the API is compromised, rather than intentional malice from the skill itself.
- External report
- View on VirusTotal