Back to skill
Skillv1.0.2
VirusTotal security
solana-payments-wallet-dev · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:34 AM
- Hash
- 5bbed0b2dbeaefaa9c09770da15129fdf52330ece23fe91d67ef6ad72a50f084
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: solana-payments-wallet-dev Version: 1.0.2 The skill is classified as suspicious due to its explicit handling and transmission of highly sensitive secrets (`PRIVY_APP_SECRET`, `TREASURY_AUTHORIZATION_KEY`) to an external API (Privy) as detailed in `SKILL.md` and `references/sign-with-privy.md`. While the skill transparently warns about this behavior, the code examples in `references/sign-with-privy.md` instruct the agent to load these secrets from `process.env`, which contradicts the `SKILL.md`'s advice to use a secrets manager. This creates a significant vulnerability where an AI agent, if compromised or misdirected by prompt injection, could misuse or exfiltrate these critical credentials, even if the skill's stated purpose is legitimate.
- External report
- View on VirusTotal