Back to skill
Skillv1.0.0
VirusTotal security
Investment Data 1.0.0 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 5:13 AM
- Hash
- 38a1f79929573010c00d163472a9c33fd094e63d2b8f7d26cb475767da941f67
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: investment-data-1-0-0 Version: 1.0.0 The skill implements a mechanism to download and extract a remote tarball (`qlib_bin.tar.gz`) from a third-party GitHub repository (`github.com/chenditc/investment_data`) within `scripts/download_data.py`. It also utilizes `subprocess.run` in `scripts/data_client.py` to execute local scripts for data updates. While these actions are consistent with the tool's stated purpose of managing financial datasets, the automated fetching and extraction of external binary artifacts pose a high risk of remote code execution or supply chain compromise. No explicit malicious intent or data exfiltration logic was identified.
- External report
- View on VirusTotal