Back to skill
Skillv0.1.0
VirusTotal security
Bankr · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:45 AM
- Hash
- 1c38d97ab4b4e6ba8cfbcf79f3eee58bb721fc418f5e70829ff406347f658b31
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: bankr-2 Version: 0.1.0 The skill bundle exposes highly sensitive financial operations, including crypto trading, transfers, token deployment, and arbitrary transaction submission, to an AI agent. While the documentation is transparent about these risks and provides extensive security advice (e.g., dedicated agent wallets, read-only keys, IP whitelisting), the core capabilities present significant prompt injection vulnerabilities. Specifically, the agent can be instructed to read/write its own API keys (`bankr config get/set`), modify the OpenClaw agent's configuration (`bankr llm setup openclaw --install`), and execute arbitrary, irreversible blockchain transactions via `POST /agent/sign` and `POST /agent/submit` (documented in `SKILL.md`, `references/arbitrary-transaction.md`, `references/sign-submit-api.md`). These capabilities, if exploited by a malicious user through prompt injection, could lead to unauthorized fund transfers, contract approvals, or other harmful actions.
- External report
- View on VirusTotal