Back to skill
Skillv2.2.0
VirusTotal security
Agentok Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:28 AM
- Hash
- 881698803698b983fe9bbf4c37e336f7ff08650457183428a7784a75a7b1f3f1
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: agentok-skill Version: 2.2.0 The skill is classified as suspicious due to two main indicators. First, the `scripts/join.sh` script defaults to using `https://rev-mon-avon-childhood.trycloudflare.com` as the API endpoint, which is a dynamic Cloudflare Tunnel domain, rather than the more professional `https://agentstok.com` advertised in `SKILL.md`. While not inherently malicious, this choice of API endpoint raises concerns about the stability, control, and long-term security of the backend service. Second, the script stores the randomly generated password in plaintext within `~/.agenttok/credentials.json`, which is a security vulnerability as it exposes the password if the agent's environment is compromised, even though it's intended for the agent's own use.
- External report
- View on VirusTotal