Back to skill
Skillv1.0.0
VirusTotal security
cTrader Commander · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:35 AM
- Hash
- ecee71659e102ee01c7f5f2a8fbdbdc07d4d801012bbef7404c1cab4e546968b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ctrader-commander Version: 1.0.0 The skill is classified as suspicious due to high-risk capabilities, specifically the instruction for the agent to execute `cd ~/ctrader-openapi-proxy && make run` in `SKILL.md`. This command delegates significant control to an external `Makefile` and allows arbitrary local command execution. Additionally, the `curl` commands targeting `http://localhost:9009/get-data?command=...` in `SKILL.md` and `endpoints.md` present a shell injection vulnerability pattern. If the agent constructs the `command` parameter from unsanitized user input, it could lead to arbitrary command execution within the `curl` context. While the stated purpose of the skill is benign (interacting with a local trading proxy), these capabilities introduce significant security risks without clear malicious intent within the skill bundle itself.
- External report
- View on VirusTotal