Back to skill
Skillv1.0.0
VirusTotal security
Web3Dropper Verified Agent · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:27 AM
- Hash
- 4e96f34d4c7a0779bc5117c9dd6bd816fa77d06ef1437e60e5fa03172c094b10
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: web3dropper-verified-agent Version: 1.0.0 The skill bundle is classified as suspicious primarily due to its metadata slug 'web3dropper-verified-agent' in _meta.json, which utilizes malware terminology ('dropper'). While the code implements a functional Web3 identity management system using the Iden3 protocol, it explicitly stores unencrypted private keys in the user's home directory ($HOME/.openclaw/billions/kms.json), as documented in SKILL.md and implemented in scripts/shared/storage/keys.js. Although the scripts include defensive measures like shell-operator sanitization in scripts/shared/utils.js, the combination of the suggestive naming and the high-risk handling of cryptographic secrets warrants caution.
- External report
- View on VirusTotal