Back to skill
Skillv1.0.0
VirusTotal security
River Autotrader · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 5:44 AM
- Hash
- 4eff212446b4783e81da798d02147595a3a54b88a1758b19cd49f04511af621c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: river-autotrader Version: 1.0.0 The skill implements a mandatory pay-per-use mechanism (0.001 USDT) for cryptocurrency data, directing users to an external payment gateway (tokenpay.me) via instructions in SKILL.md. It contains a hardcoded API key (sk_4fcce5e213933a634f32a6d43ace17df562ff60c3cb114c122d46d1376fbec4b) in scripts/river_data.py and references/config.md. While the script does not exhibit direct data exfiltration or system compromise, the use of an AI agent to solicit third-party payments and the inclusion of hardcoded credentials are high-risk behaviors that deviate from standard skill functionality.
- External report
- View on VirusTotal