Back to skill
Skillv1.0.0
VirusTotal security
MoltCredit · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 3:48 AM
- Hash
- 0e69e40ab95f715840ec6d38acbb314dbaae93286f5950ef24789957bc9c81ce
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: moltcredit Version: 1.0.0 The skill bundle is classified as suspicious due to several shell and JSON injection vulnerabilities in its bash scripts. Specifically, `scripts/balance.sh` and `scripts/history.sh` directly interpolate user-supplied arguments into `curl` URLs, creating potential shell injection risks. `scripts/settle.sh` directly inserts a user-supplied agent name into a JSON payload without proper escaping, leading to a JSON injection vulnerability. While these flaws could be exploited for command execution or data manipulation, there is no evidence of intentional malicious behavior such as data exfiltration or backdoor installation. The `SKILL.md` content is benign and does not contain prompt injection attempts against the AI agent. All network calls are directed to the legitimate Google Cloud Run endpoint: https://moltcredit-737941094496.europe-west1.run.app.
- External report
- View on VirusTotal