Back to skill
Skillv1.0.0
VirusTotal security
Trails - pay with any token from any chain · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:18 AM
- Hash
- 2c092298eb8fa8463f1c25eceefd7d6d0c6be8c2050585dc7076d98877738f24
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: trails Version: 1.0.0 The skill instructs the AI agent to read environment variables and `.env` files (e.g., `TRAILS_API_KEY`, `NEXT_PUBLIC_TRAILS_API_KEY`) from the user's project, as detailed in `SKILL.md` and `README.md`. While this is presented as necessary for the skill's stated purpose of integrating the Trails API (api.trails.build), granting an AI agent direct access to local environment configurations is a high-risk capability. This could be exploited via prompt injection to exfiltrate other sensitive environment variables or local files. Additionally, the skill instructs the agent to install dependencies without version pins (`@0xtrails/trails`, `@0xtrails/trails-api`), which introduces a supply chain risk.
- External report
- View on VirusTotal