Back to skill
Skillv0.2.0
VirusTotal security
Bitkit Cli · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:21 AM
- Hash
- 604a7846c8fe1c031f0deb15cd0151d9858969a20473fe306f6dac4df22e0a81
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: bitkit-cli Version: 0.2.0 The skill bundle is classified as suspicious primarily due to the `curl -sSL ... | sh` installation method in `SKILL.md` and `README.md`. While the `install.sh` script itself includes checksum verification and downloads from the official GitHub repository, this pattern introduces a supply chain vulnerability where a compromised repository or CDN could lead to arbitrary code execution. Additionally, the `--no-password` option for `bk init` (documented for agent use) stores the wallet seed in plaintext, posing a significant security risk if the agent's environment is compromised. These are critical vulnerabilities, but there is no clear evidence of intentional malicious behavior such as data exfiltration to unauthorized endpoints, persistence mechanisms beyond the stated daemon mode, or prompt injection attempts against the agent.
- External report
- View on VirusTotal