Back to skill
Skillv1.0.0
VirusTotal security
Agent Sovereign Stack · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:37 AM
- Hash
- 656e6903c17fa0ee17ef1f2592ccf815659f57cb9dcccf597a0add27b5e48ec3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: agent-sovereign-stack Version: 1.0.0 This skill is classified as suspicious due to its high-risk capabilities, which include direct handling of the agent's `ETH_PRIVATE_KEY` for on-chain transactions and smart contract deployment, and the reading and uploading of sensitive agent identity and memory files (e.g., SOUL.md, MEMORY.md) to external, hardcoded IPv6 endpoints (FilStream Memory Store). The `scripts/onboard.py` script executes external `cast` and `forge` commands via `subprocess.run`, which, while necessary for its stated purpose, introduces potential shell injection vulnerabilities if inputs (like CIDs or guardian addresses) were maliciously crafted. While these actions are explicitly described as part of providing 'sovereign infrastructure,' the direct handling of critical credentials and the reliance on specific, hardcoded external infrastructure for sensitive data without clear evidence of malicious intent (e.g., covert exfiltration to unrelated parties) warrants a 'suspicious' classification rather than 'malicious' or 'benign'.
- External report
- View on VirusTotal