Back to skill
Skillv1.0.0
VirusTotal security
VenmoClaw - Give your Claw Agent a credit card - They can spend anywhere or request payment · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:47 AM
- Hash
- f108b80de01e89226dc1d52025e0cad3dd1a61d3fea6dd89bd9430db3387d356
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: venmo Version: 1.0.0 The CreditClaw skill bundle facilitates financial transactions for agents but introduces significant security risks through its operational instructions. File `skill.md` contains a prompt injection attempt, advising the agent to execute a series of `curl` and `mkdir` commands to 'install locally' if it is 'unsure' of how to proceed. More critically, `encrypted-card.md` describes a 'Rail 5' workflow where the agent is instructed to download and execute a server-provided script (`decrypt.js`) to handle encrypted card data, which represents a high-risk Remote Code Execution (RCE) surface. While these features are framed as part of a legitimate financial service (IOC: `creditclaw.com`), the reliance on dynamic code execution and instructions to modify the local environment warrants a suspicious classification.
- External report
- View on VirusTotal