Back to skill
Skillv1.0.6
VirusTotal security
moonfun_sdk · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:17 AM
- Hash
- 56979e7b7537b6e1bafeaebcfccce0a6869c43590fe7b2ceb206e18b523b7a35
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: moonfunsdk Version: 1.0.6 The skill bundle is classified as suspicious due to a significant vulnerability: the image generation API (`http://moonfun.site`) uses unencrypted HTTP for transmitting sensitive data, including the user's wallet address, cryptographic signature, and AI prompt. While the private key itself is explicitly stated and appears to be handled locally for signing, the use of HTTP exposes these critical pieces of information to potential Man-in-the-Middle (MITM) attacks, allowing interception of user identity and authentication tokens. This vulnerability is present in `python/moonfun_sdk/image_api.py` and the default configuration in `python/moonfun_sdk/client.py` and `python/moonfun_sdk/constants.py`. The extensive documentation and explicit security claims, including instructions for auditing private key handling, suggest an intent for transparency rather than malice, but the unencrypted communication of sensitive data constitutes a critical flaw.
- External report
- View on VirusTotal