Back to skill
Skillv1.0.0
VirusTotal security
x402 Private Search · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:04 AM
- Hash
- 34670a774183088e8c9b98d62c257b86512acea7b40ab196e1670bd03b4ff36f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: x402-private-search Version: 1.0.0 The skill is classified as suspicious due to several vulnerabilities, despite its stated purpose appearing benign. The `SKILL.md` instructs the agent/user to store a private key in an environment variable (`X402_PRIVATE_KEY`), which is a known security risk for sensitive data. The `scripts/setup.sh` executes `npm install`, introducing a supply chain vulnerability where compromised third-party dependencies could lead to arbitrary code execution. Additionally, `scripts/x402-fetch.mjs` processes command-line arguments directly for network requests, which could pose a shell injection risk if the calling environment fails to properly sanitize or quote user-controlled input.
- External report
- View on VirusTotal