Skillv1.0.0

VirusTotal security

Grvt Markets · External malware reputation and Code Insight signals for this exact artifact hash.

SuspiciousApr 30, 2026, 4:20 AM

Hash: ba3f7d830804aedc071f139cbd18d1c86b37cfb2c0fc1c958e101b7cee7ca81c
Source: palm
Verdict: suspicious
Code Insight: Type: OpenClaw Skill Name: grvt-markets-agent-skill Version: 1.0.0 This skill bundle is classified as suspicious due to its documentation of a high-risk crypto trading CLI tool (`grvt-cli`) that handles sensitive financial operations and credentials. The `SKILL.md` explicitly warns that the tool is a 'community hobby project' with 'no security audit' and 'stores API keys and private keys in plaintext on disk'. Furthermore, the recommended setup for agents involves passing API and private keys directly on the command line, exposing them in shell history and process listings. The tool also features a `--yes` flag to bypass confirmation prompts for sensitive actions like fund transfers and withdrawals, which, if misused by an agent (e.g., via prompt injection), could lead to unauthorized financial transactions. While the skill transparently discloses these risks and instructs the agent to obtain user acknowledgment, these significant vulnerabilities and risky capabilities warrant a 'suspicious' classification rather than 'benign', as they could be exploited, but there is no clear evidence of intentional malicious behavior (e.g., exfiltration to attacker-controlled domains, stealth, or backdoors) within the skill bundle itself.
External report: View on VirusTotal