Back to skill
Skillv1.0.2
VirusTotal security
Zhentan · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 29, 2026, 9:41 AM
- Hash
- 4e9896d65bd42348b0220652c481e3d39c663be95e7bb1dc2af868203fac0861
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: zhentan Version: 1.0.2 The 'zhentan' skill acts as a security co-signer for blockchain transactions, interacting with a remote API at api.zhentan.me. While its stated purpose is security monitoring, the SKILL.md file contains multiple instructions for the AI agent to construct and execute shell commands (curl) using unsanitized user inputs (e.g., transaction IDs, Safe addresses, and Telegram user IDs). This creates a significant risk for shell command injection if the agent processes malicious input from a user. Additionally, the skill requires a sensitive AGENT_SECRET which is transmitted to the external domain, and while this is part of its functional design, the high-privilege nature of the tool combined with insecure command templates warrants caution.
- External report
- View on VirusTotal