Back to skill
Skillv1.4.0
VirusTotal security
Fuego · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:51 AM
- Hash
- 8c992b96552019141ca2dd514897b9f9da83ea4aed8de20af30fc896878fa025
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: fuego Version: 1.4.0 The skill is classified as suspicious due to two significant security vulnerabilities outlined in the SKILL.md. Firstly, the 'Agent Integration Patterns' section explicitly recommends using `execSync` in Node.js for CLI calls, which is a common vector for shell injection if inputs are not properly sanitized, potentially leading to arbitrary code execution. Secondly, the 'One Exception - x402 Payments' section details that the localhost server temporarily accesses the private key for server-side signing, which, despite claims of memory clearing, expands the attack surface for the private key and deviates from the stated 'private keys never leave your machine' security model.
- External report
- View on VirusTotal