Back to skill
Skillv1.0.0
VirusTotal security
Unzipped Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:24 AM
- Hash
- 7d9e383622266cb991c0a197c4776c4a5145e33a51e8e50766f8748bf9505157
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: Developer: Version: Description: OpenClaw Agent Skill The skill is classified as suspicious due to its handling of sensitive cryptographic material. It explicitly instructs the agent to generate and store private keys in plain text JSON files (`~/.openclaw/farcaster-credentials.json` or `./credentials.json`), a high-risk practice, even though it includes a security warning in SKILL.md. Additionally, the `npm install` command in SKILL.md executes shell commands to fetch dependencies, whose full implications cannot be assessed without the `package.json` file. There is no clear evidence of intentional malicious behavior like exfiltration to unauthorized endpoints or stealthy actions, but the inherent risks associated with plain-text private key storage and unverified dependencies warrant a 'suspicious' classification.
- External report
- View on VirusTotal