Back to skill
Skillv1.0.0
VirusTotal security
CoinGecko · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 28, 2026, 8:31 AM
- Hash
- 913f39c8f4cbb81c6a2d7bcb3762fdfee7926680e022c23b15f1c0175321ae5e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: coingecko Version: 1.0.0 The skill is classified as suspicious due to a lack of proper input sanitization in `scripts/token.py` and `scripts/price.py`. In `scripts/token.py`, user-provided arguments for `platform` and `address` are directly inserted into the URL path without URL encoding, creating a path injection vulnerability against the CoinGecko API. Similarly, `scripts/price.py` directly concatenates user-provided coin IDs into the URL query string without individual encoding, which could lead to unexpected API behavior with malformed inputs. While there is no evidence of intentional malicious behavior like data exfiltration or backdoors, these input handling flaws represent significant vulnerabilities.
- External report
- View on VirusTotal