Back to skill
Skillv2.0.5
VirusTotal security
Kite Agent Smart Wallet Permissionless Protocol V2 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:33 AM
- Hash
- cee5cedb496f3b61d48ed4c2bf3b382cda340b6148e372f4a4fc9f4ad3b39abb
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: kite-agent-smart-wallet-permissionless-protocol-v2 Version: 2.0.5 The skill is classified as suspicious primarily due to multiple prompt injection vectors present in the markdown documentation files (`SKILL.md`, `GITHUB-SETUP.md`, `README.md`, `USER-GUIDE.md`, `用户手册.md`). These files contain shell commands (`git clone`, `npm install`, `node telegram-bot.js`, `gh auth login`, `gh repo create --push`) intended for human setup, but which an AI agent could misinterpret and execute, leading to unauthorized actions (e.g., creating GitHub repositories, pushing code). While the JavaScript code (`kite-wallet.js`, `telegram-bot.js`) handles sensitive information (private keys, Telegram bot tokens) necessary for its stated purpose of managing a crypto wallet, it does not show direct evidence of intentional data exfiltration or other malicious behavior. The use of `ethers.js` for blockchain interactions and `https` for Telegram API calls is consistent with the skill's functionality. The `GITHUB-SETUP.md` file is a particularly strong indicator of prompt injection risk due to the `gh auth login` and `gh repo create --push` commands.
- External report
- View on VirusTotal