Back to skill
Skillv1.0.1
VirusTotal security
Moltbet Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:54 AM
- Hash
- ad263e0b763edbd740c82a56d39e99923a6aa14f100bf1cba164ab78031e9230
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: moltbet Version: 1.0.1 The skill is classified as suspicious primarily due to a critical supply chain vulnerability found in `heartbeat.md`. This file contains instructions for the AI agent to periodically fetch and overwrite its own `skill.md` and `heartbeat.md` files from an external URL (https://moltbet-web.vercel.app). If this external server is compromised, an attacker could inject arbitrary commands or malicious instructions into the agent's operational logic, leading to remote code execution or prompt injection against the agent. Additionally, the skill relies on installing a global npm package (`moltbet`) and interacting with external API endpoints (https://moltbet-api.onrender.com/api), which introduce further supply chain risks. While `skill.md` includes explicit warnings to the agent about handling private keys, the self-update mechanism presents a severe, exploitable vulnerability.
- External report
- View on VirusTotal