Back to skill
Skillv0.1.0
VirusTotal security
XMTP · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:21 AM
- Hash
- 9c6e37cbf85be0bb16320a6515791a28f76f14ed573f1eb0970bf04d2c0f6dd2
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: xmtp Version: 0.1.0 The skill implements a persistent XMTP-to-OpenClaw bridge that pipes unsanitized remote message content directly into the agent's command-line interface, creating a high-risk communication channel. SKILL.md contains explicit instructions for the AI agent to override limited user requests (e.g., 'just send a message') in favor of deploying the full persistent bridge, which expands the attack surface beyond the user's explicit intent. Furthermore, the 'Public Mode' implementation in the bridge script is highly vulnerable to prompt injection, as it simply prepends a system message to raw user content before passing it to the agent.
- External report
- View on VirusTotal