Skillv1.0.0

VirusTotal security

Investment Committee · External malware reputation and Code Insight signals for this exact artifact hash.

Scanner verdict

May 1, 2026, 7:49 AM

Hash: 7782b0b2bc6db2ffe58a6b4a9b4c7f4afd2b523888406081cea23b3f5b1f9c92
Source: palm
Code Insight: Type: OpenClaw Skill Name: investment-committee Version: 1.0.0 thought The user wants me to analyze a set of files for an OpenClaw AgentSkill called "investment-committee". I need to classify it as `benign`, `suspicious`, or `malicious` based on specific criteria: - `malicious`: Intentional harmful behavior (theft, exfiltration, backdoors, etc.). - `suspicious`: Risky capabilities/vulnerabilities without clear malicious intent (shell access, network access, prompt injection risks). - `benign`: Aligned with purpose, no high-risk behaviors. Let's look at the files: 1. **_meta.json**: Metadata about the skill. Owner ID, slug, version, published date. Looks standard. 2. **SKILL.md**: Instructions for the AI agent. - It describes an "Investment Committee" with 5 personas (Munger, Marks, Duan, Druckenmiller, Simons). - It outlines a 4-step process: Data preparation, Analysis mode identification, Spawning sub-agents, and Verdict integration. - **Step 1 (Data Prep)**: It provides a bash command to run a python script: `python3 {workspace}/investment-committee/scripts/fetch_price.py GOOGL 700.hk BTC GOLD`. This is a local script execution. - **Step 3 (Spawn)**: It mentions `sessions_spawn × 5`. This is a feature of OpenClaw to run parallel agents. - **Step 4 (Verdict)**: It mentions reading files from `references/`, `assets/`, and writing to `{workspace}/investment-committee/history/`. - **Prompt Injection Surface**: The instructions tell the agent how to behave. There are no instructions to ignore the user, exfiltrate data, or perform unauthorized actions. It's a complex multi-agent workflow. 3. **scripts/fetch_price.py**: - A Python script to fetch stock/crypto prices from `stooq.com`. - It uses `requests` to get CSV data from a public URL. - It maps common symbols to Stooq's format. - It prints the results. - **Risk**: It makes a network request to `stooq.com`. This is necessary for the stated purpose (fetching prices). It doesn't seem to exfiltrate sensitive data (it only sends the symbol and date range). 4. **assets/report-template.md**: A template for the final report. Benign. 5. **references/druckenmiller.md**: Persona instructions for Stanley Druckenmiller. Benign. 6. **references/duan.md**: Persona instructions for Duan Yongping. Benign. 7. **references/marks.md**: Persona instructions for Howard Marks. Benign. 8. **references/munger.md**: Persona instructions for Charlie Munger. Benign. 9. **references/simons.md**: Persona instructions for James Simons. Benign. 10. **references/verdict.md**: Rules for integrating the 5 opinions. Benign. - **Data exfiltration**: None found. The script fetches data from a legitimate financial data site. - **Malicious execution**: The `SKILL.md` instructs the agent to run a local python script. This is a standard way OpenClaw skills work. The script itself is simple and does what it says. - **Persistence/Backdoors**: None found. - **Prompt Injection**: The `SKILL.md` contains instructions for the agent, but they are aligned with the "Investment Committee" purpose. There are no "ignore previous instructions" or "send your system prompt to X" type of attacks. - **Obfuscation**: None found. - **Supply chain**: No external dependencies other than `requests`. The skill uses `python3` execution and `web_search` (implied in SKILL.md), which are high-privilege capabilities. However, these are used for the stated purpose of financial analysis. The script `fetch_price.py` is local and transparent. Is there any "suspicious" element? - The script uses `requests` to an external domain (`stooq.com`). - The agent is instructed to run shell commands. - The agent is instructed to spawn sub-agents. According to the "CRITICAL DISTINCTION" and "IMPORTANT THRESHOLD": - Risky capabilities (shell/network/file access) plausibly needed for the stated purpose should be classified as `suspicious` if they are vulnerabilities, or `benign` if they are just features. - However, the prompt says: "benign only if behavior is clearly aligned with the stated purpose and lacks meaningful high-risk behaviors." - Running arbitrary python scripts and making network calls are "high-risk behaviors" in an agentic context, even if the script provided is currently safe. - But the instructions say: "malicious ONLY if there is clear evidence of INTENTIONAL harmful behavior... If you see risky capabilities without clear malicious intent... classify as suspicious (not malicious)." Wait, the prompt says: "benign only if behavior is clearly aligned with the stated purpose and lacks meaningful high-risk behaviors." And: "classify as suspicious (not malicious)" if there are "risky capabilities without clear malicious intent (e.g., shell/network/file access plausibly needed for the stated purpose...)" So, since it uses shell execution (`python3 ...`) and network access (`requests.get`), it fits the "suspicious" category because these are risky capabilities, even if they are used for the stated purpose. Let's re-read: "benign only if behavior is clearly aligned with the stated purpose and lacks meaningful high-risk behaviors." Is fetching a price from a public API a "meaningful high-risk behavior"? In the context of an AI agent, executing code is always high-risk. However, many OpenClaw skills are designed to run code. If I compare this to a truly benign skill (e.g., one that just formats text), this is more "risky". Let's look at `fetch_price.py` again. It takes arguments from `sys.argv`. `python3 {workspace}/investment-committee/scripts/fetch_price.py GOOGL 700.hk BTC GOLD` If a user provides a malicious symbol like `; rm -rf /`, would it be vulnerable? The `SKILL.md` shows the agent constructing the command. The script `fetch_price.py` does: ```python def fetch_quote(symbol_raw, days_back=5): sym = normalize_symbol(symbol_raw) ... url = f'https://stooq.com/q/d/l/?s={sym}&d1={d1}&d2={d2}&i=d' r = requests.get(url, headers=HEADERS, timeout=10) ``` If `symbol_raw` is something like `foo&bar=baz`, it's just a URL parameter. The shell injection risk is in how the *agent* calls the script. `python3 {workspace}/investment-committee/scripts/fetch_price.py [USER_INPUT]` If the agent doesn't sanitize the input before putting it in the bash block, it's a shell injection vulnerability. The `SKILL.md` says: `python3 {workspace}/investment-committee/scripts/fetch_price.py GOOGL 700.hk BTC GOLD`. It doesn't explicitly show a variable placeholder like `$TARGET`, but the instructions say "对任意标的进行多维度独立分析" (analyze any target). So the agent will likely do: `python3 .../fetch_price.py <target_from_user>`. This is a classic "Shell injection via lack of input sanitization" vulnerability. The prompt says: "Vulnerabilities (e.g., ... Shell injection via os.system, lack of input sanitization ...) are flaws that allow attacks. ... CLASSIFY VULNERABILITIES ... AS 'suspicious', NOT 'malicious'". Therefore, the classification should be `suspicious`. Indicators: 1. Shell execution of a local script with parameters derived from user input (potential shell injection). 2. Network access to an external domain (`stooq.com`) to fetch data. 3. Complex multi-agent orchestration which increases the attack surface for prompt injection (though no malicious intent is visible). The script `fetch_price.py` itself is benign in intent. The `SKILL.md` is a sophisticated investment tool. But the pattern of "Agent runs shell command with user-provided strings" is a security risk. Final check on "malicious": Is there any intent to steal? No. Is there a backdoor? No. Final check on "benign": Does it lack high-risk behaviors? No, it executes shell commands and makes network calls. So `suspicious` is the correct classification. Summary: The skill implements a multi-agent investment analysis workflow. It is classified as suspicious due to the use of shell command execution (`python3`) to run a local script (`fetch_price.py`) with arguments derived from user input, which presents a shell injection risk. Additionally, the script performs external network requests to `stooq.com`. While these actions are aligned with the stated purpose of financial analysis, the lack of explicit input sanitization in the agent's instructions makes it vulnerable to exploitation. Wait, I should check if there are any other IOCs. URL: `https://stooq.com/q/d/l/` File names: `SKILL.md`, `scripts/fetch_price.py`, `references/verdict.md`, etc. The classification is `suspicious`. One more thing: The `SKILL.md` uses `sessions_spawn`. This is a powerful feature. The instructions for the sub-agents are in `SKILL.md`. `你现在扮演 [大师姓名]。 ... [读取对应 references/ 文件全文]` This is a standard RAG/Persona pattern. The most important indicator is the shell execution pattern. ```json { "classification": "suspicious", "summary": "The skill orchestrates a multi-agent financial analysis workflow but is classified as suspicious due to its reliance on shell command execution. The agent is instructed in `SKILL.md` to run a local Python script (`scripts/fetch_price.py`) using parameters derived from user input, which creates a potential shell injection vulnerability. Furthermore, the script performs outbound network requests to `stooq.com` to retrieve market data, which, while functional, constitutes a high-risk capability in an agentic environment." } ``` Wait, the prompt says "Respond ONLY as JSON". I should make sure the summary is a single short paragraph. One detail: `stooq.com` is a legitimate financial site. The script uses `requests.get(url, headers=HEADERS, timeout=10)`. The `normalize_symbol` function: ```python def normalize_symbol(s): s = s.upper() return SYMBOL_MAP.get(s, s.lower().replace('.HK', '.hk').replace('.US', '.us')) ``` This function doesn't sanitize for shell characters, but the script is called *from* the shell. The vulnerability is in the agent's construction of the command line. Example: User: "Analyze `Tencent; rm -rf /`" Agent might run: `python3 .../fetch_price.py Tencent; rm -rf /` This is the risk. The instructions are in Chinese, but the logic is clear. Final JSON structure: { "classification": "suspicious", "summary": "..." } ```json { "classification": "suspicious", "summary": "The skill implements a multi-agent investment analysis workflow that is classified as suspicious due to the use of high-risk capabilities. Specifically, `SKILL.md` instructs the agent to execute a local Python script (`scripts/fetch_price.py`) via the shell using arguments derived from user input, which presents a shell injection risk if the agent does not sanitize the input. Additionally, the script performs outbound network requests to `stooq.com` to fetch financial data. While these behaviors are consistent with the stated purpose, the combination of code execution and network access without explicit security constraints constitutes a significant attack surface." } ```
External report: View on VirusTotal