Back to skill
Skillv1.0.0
VirusTotal security
Heath Ledger · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:24 AM
- Hash
- eb6bef09f2c04c15cb62c7667fdcc301c5138ace1255005d4374b241e371f3f0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: heath-ledger Version: 1.0.0 The skill is classified as suspicious due to critical security vulnerabilities, primarily the unencrypted storage of sensitive API keys. Both Mercury and Stripe API tokens are stored in plain text within the local SQLite database (`data/heath.db`), as seen in `scripts/connect_mercury.mjs` and `scripts/connect_stripe.mjs`. This exposes credentials to any attacker who gains local access to the system running the OpenClaw agent. Additionally, `scripts/categorize.mjs` constructs a JSON prompt for the AI agent, which, while currently benign, represents a potential prompt injection vulnerability if the underlying data used to build the prompt could be manipulated. There is no evidence of intentional malicious behavior such as data exfiltration to unauthorized endpoints or backdoor installation.
- External report
- View on VirusTotal