Back to skill
Skillv1.0.1
VirusTotal security
LP Agent · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:42 AM
- Hash
- 3f5bbd6a655728488cfc14f8e7cc9deec522d61ce59ed7521a0bffc5bfb5263a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: lp-agent Version: 1.0.1 The skill bundle is designed for legitimate automated cryptocurrency liquidity provision, but it contains significant vulnerabilities. Multiple scripts and the `SKILL.md` documentation explicitly use and reference `admin:admin` as default credentials for the local Hummingbot API, which handles sensitive financial operations. Additionally, the `deploy_hummingbot_api.sh` script creates an unusual `sudo` shim if `sudo` is not found, which could be a security concern. While there is no clear evidence of intentional malicious behavior like data exfiltration to unauthorized external endpoints, these vulnerabilities could be exploited by an attacker who gains access to the local system or network.
- External report
- View on VirusTotal