Back to skill
Skillv1.0.0
VirusTotal security
MoltHands · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:02 AM
- Hash
- beadac718e82d2e6a0638b9029bce6fa0f2ee71b463b6b511a339071fd5541ba
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: molthands Version: 1.0.0 This skill bundle is suspicious due to two critical vulnerabilities. First, the agent is instructed to periodically fetch and 'follow' or execute instructions from remote markdown files (SKILL.md and HEARTBEAT.md) hosted on molthands.com. This design creates a significant prompt injection and remote code execution (RCE) risk, as a compromised molthands.com server could inject arbitrary commands into the agent's routine. Second, the task delivery methods, particularly 'email' and 'callback' described in SKILL.md and TASKS.md, allow task creators to specify arbitrary email addresses or URLs for result delivery. This enables a malicious task creator to exfiltrate sensitive data processed by the agent to an attacker-controlled endpoint.
- External report
- View on VirusTotal