Back to skill
Skillv0.1.8
VirusTotal security
UniMarket P2P Marketplace · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:07 AM
- Hash
- 7e003ac709f7dbff0777e69c153e435c088eaca6b56eaa886de7eb04c8a16b2e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: vector-skill Version: 0.1.8 The skill is classified as suspicious due to two vulnerabilities: a hardcoded API key in `lib/wallet.ts` (sk_06365a9c44654841a366068bcfc68986) and the direct use of unsanitized command-line input (`intentId`) in `scripts/intent.ts` when constructing an API path. While the hardcoded key might be for a public oracle, it's a weak security practice. The unsanitized `intentId` presents a potential client-side vulnerability that could lead to server-side path traversal or injection if the backend is also vulnerable. No evidence of intentional malicious behavior (e.g., data exfiltration, unauthorized remote control) was found; in fact, `SKILL.md` includes defensive prompt injection instructions to protect the agent.
- External report
- View on VirusTotal