Back to skill
Skillv1.0.1
VirusTotal security
Arc Security - Agent Trust Protocol · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:22 AM
- Hash
- 1b4cdc3e60b1ab751bf784467f5e88853c02d70ee1e431b0ac8aeddc2d6b7ac5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: arc-security Version: 1.0.1 This skill is classified as suspicious due to two major security risks, despite its stated benign purpose. Firstly, it explicitly requires the user's `PRIVATE_KEY` as an environment variable for signing blockchain transactions (mentioned in `SKILL.md`, `README.md`, and used in `arc_contract.py` and `cctp_client.py`). This exposes a critical secret to the agent's environment, making it highly vulnerable to theft or misuse. Secondly, the `x402_client.py` module is designed to download and extract arbitrary ZIP files from a remote `X402_SERVER_URL`, posing a significant supply chain risk where a compromised server could deliver malicious payloads to the agent.
- External report
- View on VirusTotal