Back to skill
Skillv1.0.11
VirusTotal security
HeyTraders Quant Skills · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:51 AM
- Hash
- e15b484d179b111d83ab8f8eb642dbbe2ebcc39fd98d56e0cdb45c0fd32afe99
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: heytraders Version: 1.0.11 The skill requires `curl` and `jq` for interacting with the HeyTraders API, which is expected for its stated purpose of crypto trading and market analysis. However, the `SKILL.md` documentation exposes an endpoint (`PUT /live-strategies/subscriptions/{id}/webhook`) that allows configuring webhooks to arbitrary URLs. This capability, while a legitimate feature of the platform, introduces a significant prompt injection vulnerability. A malicious prompt could instruct the AI agent to set up a webhook to an attacker-controlled server, potentially exfiltrating sensitive trading data (e.g., signals, account balances, trade history) that the agent has access to via its API key. This high-risk capability for data exfiltration, even without explicit malicious intent in the skill itself, warrants a 'suspicious' classification.
- External report
- View on VirusTotal