Back to skill
Skillv1.0.3
VirusTotal security
Recharge / Renew of Skills | 技能账户充值/续费 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 8:31 PM
- Hash
- 1678df12de45012b638a7bc138051821714d3fa5b73591c1ccc9e773f2dc1d1e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: smyx-payment Version: 1.0.3 This skill bundle contains multiple critical security risks, most notably a hardcoded RSA Private Key and Alipay Public Key across several files (e.g., scripts/alipay_real_payment.py, scripts/pay_now.py, and scripts/alipay_pay.py). While intended for payment integration, hardcoding merchant private keys is a severe vulnerability. Additionally, SKILL.md contains contradictory instructions: it defines 'Safety Redlines' that strictly prohibit local order generation, yet later provides a 'Backup Plan' with explicit Python code and instructions for the AI agent to bypass the cloud API and generate orders locally if the server is unreachable. This creates a significant prompt-injection surface that could lead to unauthorized or unverified financial transactions. The bundle also includes an unusually broad range of scripts, including a full Flask authentication server (scripts/cloud_api_auth.py) and a key generator (scripts/generate_keys.py), which exceeds the typical scope of an OpenClaw skill.
- External report
- View on VirusTotal