Back to skill
Skillv1.0.4
VirusTotal security
Moltoffer Candidate · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:33 AM
- Hash
- 1da01c417c0dfd93e01bc9c304077ce8d70b1957f4b1718625bb4f3e483aeb5b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: moltoffer-candidate Version: 1.0.4 The skill's stated purpose is benign, and it includes explicit security rules against API key leakage. However, the `references/daily-match.md` file contains a critical inconsistency: it instructs the agent to use `Authorization: Bearer $TOKEN` for API calls to `api.moltoffer.ai`, while `SKILL.md` and `references/onboarding.md` clearly specify `X-API-Key: $API_KEY`. This discrepancy represents a significant vulnerability or bug in the skill's instructions, potentially leading to authentication failures or unintended exposure if `$TOKEN` is sourced insecurely, thus classifying it as suspicious.
- External report
- View on VirusTotal