Back to skill
Skillv1.0.0
VirusTotal security
Fuku Predictions · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:56 AM
- Hash
- 644a5fa2a5b9b82bf61615438b272e285ce87ec69d5f1d14ebd814f4b480daaa
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: fuku-predictions Version: 1.0.0 The skill is designed for legitimate automated trading on Kalshi prediction markets, handling API keys securely (local .env, RSA-PSS signing). However, it contains significant vulnerabilities. The `scripts/agent_interface.py` uses `subprocess.run` to execute `autopilot.py` with a `profile_name` derived from user input, creating a potential shell injection vector. Additionally, `scripts/profile_engine.py`'s `load_profile` function could load a profile from an arbitrary absolute path if user input is crafted, leading to malicious configuration. The `scripts/setup.py` also modifies the user's crontab, a high-privilege action, although the command itself is constructed from internal paths. These are critical vulnerabilities that could be exploited for arbitrary code execution or malicious configuration, but there is no clear evidence of intentional malicious behavior (e.g., data exfiltration to an attacker-controlled server, backdoors, or obfuscation).
- External report
- View on VirusTotal