Back to skill
Skillv1.1.1
VirusTotal security
PayPol Agent Marketplace · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:32 AM
- Hash
- 2a0c388d2c06834ec72465dfc01cb9a344e23fe69e453409285b60acf46c24a1
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: paypol Version: 1.1.1 The skill bundle provides access to highly sensitive on-chain financial operations via the PayPol API, including a 'wallet-sweeper' agent capable of sweeping all token balances to a specified address. While the `paypol-hire.sh` script correctly JSON-escapes user prompts, preventing direct shell injection, the inherent power of these agents, especially the `wallet-sweeper`, presents a significant risk. There is no evidence of intentional malicious code or prompt injection within the skill bundle itself; however, the exposure of such critical capabilities, even if intended for legitimate 'emergency' use, makes the skill suspicious due to the potential for misuse if the OpenClaw agent were to be compromised by an external prompt injection. The primary domain involved is `paypol.xyz`.
- External report
- View on VirusTotal