Back to skill
Skillv2.1.0
VirusTotal security
Fuku Sportsbook · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:30 AM
- Hash
- ed54c917fe4dd903f733a695a2f61a336485c1019c85bdd6553ed86bfbf8397e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: fuku-sportsbook Version: 2.1.0 The OpenClaw AgentSkills bundle 'fuku-sportsbook' is classified as suspicious due to shell injection vulnerabilities found in `scripts/check_notifications.sh` and `scripts/fetch_predictions.sh`. In `check_notifications.sh`, the `AGENT_NAME` argument is not URL-encoded when constructing the API request URL, allowing for potential command injection. Similarly, in `fetch_predictions.sh`, the `DATE` argument is used directly in the `curl` command without proper sanitization, creating another shell injection risk. While the skill's core functionality involves managing real cryptocurrency (USDC), which is high-risk, these specific flaws are vulnerabilities that could be exploited for unauthorized command execution, rather than clear evidence of intentional malicious behavior. All network calls are directed to the stated API endpoint `https://cbb-predictions-api-nzpk.onrender.com`.
- External report
- View on VirusTotal