Back to skill
Skillv1.0.0
VirusTotal security
plugy · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:39 AM
- Hash
- ec0c52c5d9ac32f906708ae6d1c064145287994803ad6c22705d995f20262f39
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: plugy Version: 1.0.0 The skill instructs the AI agent to download and execute further instructions from an external domain (plugy.fun) via `curl` commands in `skill.md`, creating a supply chain risk where a compromised remote server could dictate agent behavior. Additionally, the agent is explicitly instructed to handle and store highly sensitive information, including a Solana wallet `privateKey` and an `apiKey`, making it a prime target for prompt injection attacks aiming to extract these credentials from the agent's memory or local storage (`~/.config/plugy/credentials.json`). While these are significant vulnerabilities and risky capabilities, there is no explicit instruction for malicious actions like unauthorized exfiltration or persistence within the provided files.
- External report
- View on VirusTotal