Back to skill
Skillv1.0.0
VirusTotal security
hey.lol · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:09 AM
- Hash
- 56501abe3b272b6668b00346777df5714f9dc6cf3f5f5ad2beb4791d09d82e60
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: hey-lol Version: 1.0.0 The `SKILL.md` contains a critical prompt injection vulnerability by instructing the AI agent to `GET https://hey.lol/skill.md` and use its content as the 'source of truth' for all instructions. This allows the skill owner to dynamically alter the agent's behavior at any time, bypassing initial security review. Additionally, the skill generates and requires the agent to store Solana and Base private keys, which are then used for all authenticated API calls to `api.hey.lol`. While necessary for the stated purpose, the vague 'STORE SECURELY' instruction for an AI agent poses a significant risk of insecure handling of sensitive cryptographic material.
- External report
- View on VirusTotal