Back to skill
Skillv0.0.5
VirusTotal security
Pay Bills · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:04 AM
- Hash
- f0f43c71890a83b3fcca98eb978bee67f7520fa68afccf771c14c770e3c388f3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: pay-bills Version: 0.0.5 The skill is classified as suspicious due to its use of local command execution and file system operations to manage sensitive session tokens. The `SKILL.md` instructs the AI agent to execute Node.js scripts (`generate-device-id.js`, `generate-order-id.js`, `session-token.js`) directly. While these scripts appear functional for the skill's stated purpose (managing API interactions and session state by writing to/reading from `.session_token` in the skill's directory), the capability to execute local commands and perform file I/O with sensitive data (session tokens) introduces a risk. If the OpenClaw agent's execution environment or argument sanitization is flawed, this could lead to shell injection or unauthorized access to the stored session token by other skills, even though no explicit malicious intent (like data exfiltration to arbitrary endpoints or backdoor installation) is observed in the provided code.
- External report
- View on VirusTotal