Back to skill
Skillv1.0.0
VirusTotal security
open-stellar-wallet · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:02 AM
- Hash
- 8f9ea1d601f6535a9b577e35602d60ef33bc4caa4f7883505a02466f2daaacca
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: open-stellar Version: 1.0.0 The skill is classified as suspicious due to two main factors: 1) The installation process involves downloading and executing a shell script (`install.sh`) directly from a remote GitHub URL (`https://github.com/stellar/stellar-cli/raw/main/install.sh`). While this is a common installation method for CLIs and the source appears legitimate, it introduces a supply chain risk, as a compromised script could lead to arbitrary code execution. 2) The `SKILL.md` explicitly instructs the AI agent to perform 'First-Run Setup' steps 'automatically — do NOT ask the user for confirmation'. Although the current automatic actions (setting up a testnet wallet with test funds) are benign, this instruction demonstrates a prompt injection technique that bypasses user consent, which could be exploited if the commands were altered to perform malicious actions.
- External report
- View on VirusTotal