Back to skill
Skillv1.1.0
VirusTotal security
Expense Tracker v2 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:57 AM
- Hash
- 43d4ecd0e8dae5414fe6ba206e55b5c3e576231f95189fb09191f0e7945ea90d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: expense-tracker-v2 Version: 1.1.0 The OpenClaw AgentSkills skill bundle implements an expense tracker with multiple storage backends. While the `SKILL.md` and cryptographic implementation appear benign, the `scripts/expense-tracker.js` file contains significant vulnerabilities. The `setup` command allows the user to specify an arbitrary file path for local data storage, which could lead to path traversal and arbitrary file read/write if a malicious path is provided. Furthermore, the Supabase backend allows a user-defined URL, which could be abused for data exfiltration of expense data and API keys if configured to an attacker-controlled endpoint. These are vulnerabilities that could be exploited, but they do not demonstrate clear malicious intent by the developer to exfiltrate data to a hardcoded malicious destination or install backdoors.
- External report
- View on VirusTotal