Back to skill
Skillv0.1.0
VirusTotal security
Trade · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:47 AM
- Hash
- 20809a006c502917b2755a038025b428e7dd23dc95ba3b3c61371c15d502f544
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: trade Version: 0.1.0 The skill is designed for a legitimate purpose (token trading) and includes a security instruction to prevent shell variable expansion. However, it relies on the `npx awal@latest` external package, introducing a supply chain risk. More critically, the `allowed-tools` in `SKILL.md` use broad wildcards (`Bash(npx awal@latest trade *)`), permitting the agent to pass arbitrary arguments to the `awal` command. This creates a vulnerability where potential command injection flaws within the `awal` tool itself could be exploited if an attacker crafts malicious inputs, even though the skill itself does not explicitly instruct the agent to perform malicious actions.
- External report
- View on VirusTotal