Skillv1.0.0

VirusTotal security

Clawphunks · External malware reputation and Code Insight signals for this exact artifact hash.

Scanner verdict

ReviewMay 1, 2026, 5:41 AM

Hash: 269a81381e60f3b5eaf8bcca960b539680fcdcfd6dfdadf10a05e73709761a5c
Source: palm
Verdict: suspicious
Code Insight: Package: io.github.jefdiesel/clawphunks (mcp) Version: 1.0.1 Description: Mint and trade ClawPhunks NFTs - 10k pixel punks for AI agents. x402 payment, ethscriptions on L1. The package implements an NFT minting and trading platform using Ethscriptions, x402 payments, and Supabase. The core application logic for minting and payment facilitation generally uses environment variables for sensitive credentials, which is a good practice. However, the analysis reveals critical security vulnerabilities and poor credential management: 1. A test file (`test-cdp.mjs`) contains hardcoded Coinbase API keys, exposing sensitive credentials. This indicates a severe lapse in credential management during development. 2. The `STATUS.md` file explicitly states that a test wallet's private key was previously exposed ("old one exposed"), confirming a past security incident or a critical vulnerability in key handling practices. 3. Public-facing documentation (`STATUS.md`, `public/llms.txt`, `public/skill.md`) details sensitive infrastructure information (e.g., contract addresses, environment variable names) and internal security issues, increasing the attack surface. 4. Code snippets provided to users for minting and trading (`mcp/src/index.ts`, `src/server.ts`) involve direct handling of private keys, placing a high security burden on users, despite warnings. This increases the risk of user error leading to asset loss. These issues, particularly the confirmed private key exposure and hardcoded credentials, classify the package as SUSPICIOUS due to significant security risks and poor operational security practices.
External report: View on VirusTotal