Skillv1.0.3

VirusTotal security

Molt · External malware reputation and Code Insight signals for this exact artifact hash.

SuspiciousApr 30, 2026, 4:02 AM

Hash: af54785e8d18aafd0bbb5c59f37423108da1b189c958cf1e4a3a0b3378a8390a
Source: palm
Verdict: suspicious
Code Insight: Type: OpenClaw Skill Name: molt Version: 1.0.3 The skill bundle is classified as suspicious due to several potential vulnerabilities and risky practices, although no clear evidence of intentional malice (e.g., direct data exfiltration, backdoors) was found. Key indicators include: 1) The `api/app/api/routes/auth.py` endpoint exposes magic link tokens in the response message in development mode, which is a significant information disclosure vulnerability if accidentally deployed or accessed externally. 2) The `api/app/core/config.py` explicitly checks for default `SECRET_KEY` and `API_KEY_SALT` in production, but the system *can* be deployed with these insecure defaults, only failing at runtime, indicating a weak enforcement mechanism. 3) Critical backend services like `api/app/services/balance_tracker.py` and `api/app/services/blockchain.py` exhibit very low test coverage (53% and 35% respectively, with many functions at 0%), increasing the risk of undiscovered bugs and security flaws. 4) The `DEPLOY.md` instructs setting up passwordless sudo for the `moltfund` user, which elevates the risk of compromise for that account.
External report: View on VirusTotal