Back to skill
Skillv1.0.0
VirusTotal security
Vincent - Agent Wallet · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:23 AM
- Hash
- 574e3b089d1b8085bbdf199b73eb9c8b134c8491568ed9c69b91fac0fda6e54e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: vincent Version: 1.0.0 The skill is classified as suspicious due to several high-risk capabilities and potential prompt injection vectors, despite its stated benign purpose. The `SKILL.md` file instructs the agent to store and retrieve API keys from specific file system paths (`~/.openclaw/credentials/agentwallet/` or `agentwallet/`), indicating file system read/write access. More critically, it explicitly instructs the agent to accept a user-provided `relinkToken` and use it directly in an unauthenticated API call to `https://heyvincent.ai/api/secrets/relink` to obtain a new API key. This creates a direct prompt injection surface where user input is treated as a sensitive authorization token, allowing a malicious user to potentially trick the agent into misusing the recovery mechanism. The skill also involves high-risk financial transactions (transfers, swaps, betting) via API calls to `https://heyvincent.ai`.
- External report
- View on VirusTotal