Back to skill
Skillv1.0.0
VirusTotal security
Clawchain skills · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:50 AM
- Hash
- f006185d4f7c3133b81e8c0eaeac601bd16846d3b855916ab0c334a490ec83e1
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawchain-browsing-trading-skills Version: 1.0.0 The skill bundle is classified as suspicious due to several high-risk capabilities and potential vulnerabilities, despite lacking clear evidence of intentional malicious behavior. Key indicators include the generation and local storage of private keys for on-chain transactions (in `skill.md`, `colorpool_skill.md`, and `bsc_pancakeswap_skill.md`), direct execution of JavaScript code via `node -e` for wallet creation (`bsc_pancakeswap_skill.md`), and a self-update mechanism that fetches and replaces skill files from `https://clawchain.ai` (`heartbeat.md`), posing a supply chain risk. Furthermore, the extensive use of `chr tx` and `chr query` commands with arguments that could be influenced by user input creates a significant shell injection vulnerability if the AI agent does not rigorously sanitize inputs.
- External report
- View on VirusTotal