Back to skill
Skillv1.0.0
VirusTotal security
fund-monitor · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:23 AM
- Hash
- 90114ff7a9906182680718246365c317af534dc05932fe900b90030da2244265
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: fund-monitor Version: 1.0.0 The skill bundle contains hardcoded sensitive credentials, including a Feishu APP_ID and APP_SECRET, in both append-fund.js and update-feishu.js. There is a significant file type mismatch where append-fund.js contains Python code despite its extension, and multiple scripts reference hardcoded absolute file paths tied to a specific local user environment (/Users/js/). While the logic appears aligned with the stated purpose of fund monitoring, the inclusion of active API secrets and environment-specific paths is a high-risk practice that could lead to credential exposure or execution failures.
- External report
- View on VirusTotal