Back to skill
Skillv1.0.0
VirusTotal security
Asset Management · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:36 AM
- Hash
- 0ef4c391249302b568e7b2d2687e34d3bbc73b1a23aefaf469a62bb577c5cfd9
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: crypto-folio Version: 1.0.0 The CryptoFolio skill contains significant security vulnerabilities in its local web server and data handling logic. Specifically, `scripts/serve.mjs` is vulnerable to path traversal, allowing arbitrary file reads by joining unsanitized URL paths to the base directory, and it implements overly permissive CORS headers (`Access-Control-Allow-Origin: '*'`), which could allow any website visited by the user to read or overwrite the sensitive portfolio data. Furthermore, `index.html` stores AI API keys (Claude/OpenAI) in unencrypted `localStorage`. While these flaws appear to be unintentional bugs rather than deliberate malware, they represent high-risk behaviors that could be exploited to exfiltrate financial data or local system files.
- External report
- View on VirusTotal