Back to skill
Skillv1.1.0
VirusTotal security
Apiosk Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:51 AM
- Hash
- 2e117ab5ebe8a594375ffdf17ebe1b6c960d8cafd85636d706d1f93d1bc968dc
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: apiosk Version: 1.1.0 The skill is classified as suspicious due to critical vulnerabilities, primarily the storage of the wallet's private key in plaintext within `~/.apiosk/wallet.json`. Although this risk is explicitly disclosed and warned against in `SKILL.md`, `README.md`, and `SECURITY.md`, and file permissions are set to `chmod 600`, it remains a high-risk design choice. Additionally, the `call-api.sh` script directly uses the `$PARAMS` variable in a `curl -d "$PARAMS"` command, which could create a shell injection vulnerability if an AI agent were to construct or pass unsanitized input from a user, potentially leading to arbitrary command execution. There is no clear evidence of intentional malicious behavior such as hidden data exfiltration, persistence mechanisms, or stealthy prompt injection against the agent.
- External report
- View on VirusTotal