Back to skill
Skillv1.0.5
VirusTotal security
AgentXPay · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:19 AM
- Hash
- 2582337f811ff954f29b4f49ef017999d76a24fbdad9cbc6d550ce6afc12f8da
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: agentxpay Version: 1.0.5 The skill is classified as suspicious due to a Server-Side Request Forgery (SSRF) vulnerability in the `agentxpay_pay_and_call` tool (and implicitly `agentxpay_smart_call`). The `url`, `body`, and `headers` parameters in `src/runtime.ts` and `src/schemas.ts` are directly used from user input without sufficient validation, allowing an AI agent (if prompted maliciously) to make arbitrary HTTP requests to internal network resources or sensitive external endpoints. Additionally, the `agentxpay_manage_wallet` tool's `fund` action allows the agent to send its own funds to an arbitrary address and amount, which, while intended functionality for a payment agent, represents a high-risk capability that could be abused through prompt injection.
- External report
- View on VirusTotal