Back to skill
Skillv1.0.1
VirusTotal security
Payfit · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 22, 2026, 11:32 PM
- Hash
- dd53a58f384942ef21214e99889877420ad676bc89d884c7ead6609b9737fd04
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: payfit Version: 1.0.1 The skill bundle relies on the installation of a global npm package (@membranehq/cli) and delegates all logic and authentication to a third-party service (Membrane). It instructs the agent to perform high-risk operations, including remote action creation and execution, which effectively grants the remote service control over the agent's tasks. While these actions are aligned with the stated purpose of the PayFit integration, the requirement for global CLI installation and the 'black box' nature of remote action execution represent significant security risks and broad permissions without local transparency.
- External report
- View on VirusTotal