Back to skill
Skillv0.1.3
VirusTotal security
Cli · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:18 AM
- Hash
- 3955b93b3b162f466bea2569ce2a057085cefb264f0421c2c1d049e7cb167b2e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: x402r-dispute Version: 0.1.3 The skill is classified as suspicious due to significant file system vulnerabilities. Specifically, `src/commands/pay.ts` allows writing arbitrary HTTP response bodies to user-specified paths via the `--output` option, and `src/commands/dispute.ts` allows reading arbitrary files as evidence via the `--file` option. These flaws could enable arbitrary file write/read if an attacker can control the input paths. Additionally, the skill handles private keys, which are stored on disk in `~/.x402r/config.json`, and makes numerous external network calls to arbiter/court URLs (e.g., `https://www.moltarbiter.com/arbiter`) and Pinata, which are high-risk operations, though necessary for its stated web3 payment dispute purpose. There is no evidence of intentional malicious behavior like data exfiltration or persistence.
- External report
- View on VirusTotal