Back to skill
Skillv1.0.1
VirusTotal security
Plutio · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:50 AM
- Hash
- e999717bf8cae839fe3e1c94ef83dd4afaadc9c5b50c42623da6a441c6d57e8a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: plutio Version: 1.0.1 The skill is designed for legitimate Plutio API interaction. The primary concern is the `scripts/plutio-cli.py` script's acceptance of sensitive API credentials (`--app-key`, `--secret`) directly as command-line arguments. This practice, also demonstrated in `SKILL.md`, `references/examples.md`, and `references/powershell-workflows.md`, is a vulnerability as it can expose credentials in process lists, shell history, or logs. While `references/setup-guide.md` provides good security advice on credential storage, the CLI's design still presents this risk. There is no evidence of intentional malicious behavior, data exfiltration to unauthorized endpoints, or prompt injection attempts to subvert the agent's core function.
- External report
- View on VirusTotal