Back to skill
Skillv1.0.1
VirusTotal security
Token Unlock Pro · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:11 AM
- Hash
- 3fb38919c268d892ad7c923e3f568704b6af512717bc081f0af5a74a0b9bbdaa
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: token-unlock-pro Version: 1.0.1 The skill bundle contains a large, undocumented, and unrelated script in 'index.html' titled 'Iframe Highlight Injector'. This script monitors all user interactions (hovers, clicks) and captures detailed element metadata, including text content and values from 'INPUT' and 'TEXTAREA' tags, which it then exfiltrates to the parent window via 'postMessage'. While this appears to be a developer tool from the MiniMax AI platform, its silent inclusion in a token-monitoring skill bundle poses a significant privacy risk and could be used to capture sensitive user input. Additionally, 'api/main.py' contains a hardcoded SkillPay API key (sk_4fcc...ec4b) as a default configuration value.
- External report
- View on VirusTotal