Back to skill
Skillv0.1.0
VirusTotal security
EM-A2A · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 28, 2026, 6:41 AM
- Hash
- c8d6f72c7e846c300bd3f492024fde61241bdc7f165ecbaf7eaea4517e73293c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: em-a2a Version: 0.1.0 The skill facilitates TRON blockchain transactions and requires a highly sensitive 'A2A_PRIVATE_KEY' environment variable. It executes remote code via 'npx' from the npm package '@poisonpyf/a2a-mcp'. The package name prefix 'poison' is a common red flag in security contexts, and the combination of private key access with dynamic remote code execution poses a significant risk of credential theft, although no explicit malicious logic is present in the SKILL.md instructions.
- External report
- View on VirusTotal