Back to skill
Skillv1.0.0
VirusTotal security
PolyClaw Pro · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:37 AM
- Hash
- 5004111544e59d13fd3baf0e76335a3bb2579c27df678183093c2167a40d1a29
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: polyclaw-pro Version: 1.0.0 This skill is classified as suspicious due to its inherent high-risk capabilities, although these appear to be aligned with its stated purpose as a Web3 trading bot. Key indicators include the direct handling of a user's EVM private key (`POLYCLAW_PRIVATE_KEY`) from environment variables for signing and sending blockchain transactions (e.g., in `auto_redeem_check.py`, `discipline_scanner.py`), which is explicitly acknowledged as a security risk in `SKILL.md` and `README.md`. The skill also employs network proxies (Tor via `httpx[socks]` and `curl-cffi`) for Cloudflare bypass, and utilizes `subprocess.run` in `polyclaw_api.py` to execute other scripts (e.g., `swap.py`), which presents a potential Remote Code Execution (RCE) vulnerability if an AI agent were to be prompt-injected into passing malicious arguments. While these functionalities are necessary for a trading bot, their combined risk profile warrants a 'suspicious' classification rather than 'benign'.
- External report
- View on VirusTotal