Back to skill
Skillv0.2.1
VirusTotal security
Volcengine Agent Identity · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:22 AM
- Hash
- cfa5abf2f035a80f537d315ac930ae4e2918e1301238c3d791b8fbb547731ac8
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: volcengine-agent-identity Version: 0.2.1 The skill is classified as suspicious due to a high-risk vulnerability in the `identity_fetch` tool. Specifically, the `returnValue: true` parameter allows the AI agent to retrieve the raw credential string directly. If an attacker can craft a prompt to trick the agent into calling `identity_fetch` with this parameter for an existing credential, the agent would gain access to the sensitive credential, enabling potential exfiltration. While the skill includes security features like risk checking and explicit instructions against agent self-approval, this specific capability presents a significant attack surface for credential theft via prompt injection.
- External report
- View on VirusTotal