Back to skill
Skillv1.0.1
VirusTotal security
Hummingbot · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:42 AM
- Hash
- bcba7f4ff951a88468daab5c0a6f940a306ea0fd222f5701d075268eb416c543
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: hummingbot Version: 1.0.1 The skill is designed to interact with a local Hummingbot API, and most scripts use the provided `hummingbot-api-client` correctly. However, `scripts/history.py` deviates from this pattern by implementing its own API request logic using `urllib.request`. This script constructs the request URL by directly concatenating user-controlled input (`bot_name`) into the endpoint, creating a Server-Side Request Forgery (SSRF) vulnerability. An attacker capable of controlling the `bot_name` argument (e.g., via prompt injection against the agent) could exploit this to make arbitrary requests to local network services or potentially external ones if the `HUMMINGBOT_API_URL` environment variable is configured to a non-localhost address. This is a significant vulnerability, classifying the skill as suspicious rather than malicious due to the lack of clear evidence of intentional self-exploitation within the provided code.
- External report
- View on VirusTotal