Back to skill
Skillv2.0.2
VirusTotal security
OpenFunderse Participant · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:58 AM
- Hash
- 5b4c303e023e28ef3c84ee7eea47256fe6b62a5b5f674b9cf52cda306d0e864e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: openfunderse-participant Version: 2.0.2 The skill is classified as suspicious due to several high-risk capabilities and potential vulnerabilities, despite lacking clear evidence of intentional malicious behavior. Key indicators include the `installCommand` in `SKILL.md` which executes remote code via `npx @wiimdy/openfunderse@2.0.0`, introducing a supply chain risk. The skill also handles a highly sensitive `PARTICIPANT_PRIVATE_KEY` (generating, storing backups in `~/.openclaw/workspace/openfunderse/wallets`, and using it for signing), and modifies global OpenClaw runtime state by updating `~/.openclaw/openclaw.json` and restarting the gateway. While these actions are described as part of its legitimate function, they represent significant attack surfaces and powerful capabilities that could be exploited if the external package is compromised or if configurations like `PARTICIPANT_ALLOW_HTTP_RELAYER` are set insecurely.
- External report
- View on VirusTotal