Back to skill
Skillv2.0.0
VirusTotal security
Soho · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
BenignApr 30, 2026, 4:26 AM
- Hash
- dee182ab5fdcb1623518f4d8c14114ac55181102983dc500b8cba44b3d91cf3f
- Source
- palm
- Verdict
- benign
- Code Insight
- Type: OpenClaw Skill Name: soho-pay Version: 2.0.0 The OpenClaw AgentSkills bundle is designed for orchestrating payments on a credit layer and exhibits a strong security-first design. Key security features include explicit manual invocation and user confirmation requirements enforced by both metadata (`SKILL.md`, `skill.json`) and a runtime guard (`scripts/pay.js`). The skill strictly separates key custody, stating it never holds private keys, delegating signing to user-controlled wallet signers (local dev key or remote MPC/HSM). Robust environment variable validation using Zod (`src/config.js`) prevents misconfiguration, and the use of local private keys is strictly gated to testnets by default. Input sanitization for `merchantAddress` prevents address spoofing, and all external network calls are to user-configured URLs with proper authentication. There is no evidence of data exfiltration, malicious execution, persistence mechanisms, or prompt injection attempts against the agent.
- External report
- View on VirusTotal