Back to skill
Skillv1.0.0
VirusTotal security
Chia SplitXCH · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:45 AM
- Hash
- 2ffad2eba0278597f8bf0fc8e99a0fdb2d2557e95ed9e6222007ad6b2ace2b49
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: chia-splitxch Version: 1.0.0 The skill is suspicious due to a clear prompt injection vulnerability against the AI agent, which could lead to shell injection. The `SKILL.md` instructs the agent to "Parse the user's plain-language split description" and then execute `scripts/splitxch.sh` with a JSON payload derived from this user input. If the agent fails to properly sanitize or escape malicious user input when constructing the JSON payload, an attacker could inject arbitrary shell commands into the payload, which would then be processed by `jq` and potentially `curl` within `scripts/splitxch.sh`, leading to unauthorized command execution. While the script itself is not inherently malicious, the design exposes a significant risk through the AI agent's interpretation of untrusted input.
- External report
- View on VirusTotal