Back to skill
Skillv0.2.2
VirusTotal security
OpenClaw Paid Actions · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:13 AM
- Hash
- 9515149b4ced15d393a33da2b60e4406139856caa175af56c937f041705ca770
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: openclaw-paid-actions Version: 0.2.2 The skill bundle is classified as suspicious due to the described architecture in `SKILL.md` that allows for the execution of external scripts (e.g., `scripts/paid-actions/x-shoutout.mjs`) with input derived from potentially untrusted sources (`OPENCLAW_PAID_ACTION_INPUT_JSON`). While the `SKILL.md` itself does not contain malicious code or direct prompt injection, it outlines a design pattern where a vulnerability in the external scripts could lead to Remote Code Execution (RCE). The documentation acknowledges this risk by recommending `enforceReviewedScripts: true` and advising to 'Review every configured action command before enabling autonomous execution', indicating a known attack surface.
- External report
- View on VirusTotal