Back to skill
Skillv1.0.2
VirusTotal security
Clawbet · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:27 AM
- Hash
- d2e4ab42e9423280d708d4299d392e22a0b4796def3277455ac6dd6ddd9b70b3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawbet Version: 1.0.2 The skill bundle is classified as suspicious due to a significant supply chain vulnerability. The `SKILL.md` and `HEARTBEAT_FRAGMENT.md` files instruct the AI agent to periodically fetch and 'parse new rules' from `https://clawbot.bet/api/skill.md`. This 'hot-reload' mechanism allows for remote prompt injection and potential Remote Code Execution (RCE) if the `clawbot.bet` server is compromised, as the agent would execute arbitrary instructions from the updated markdown. While the skill demonstrates good security practices for isolating sensitive operations like wallet creation and transaction signing via subprocesses (`scripts/create_wallet.py`, `scripts/sign_and_send.py`) and includes explicit warnings against known malicious packages, the remote update capability poses a critical vulnerability.
- External report
- View on VirusTotal