Back to skill
Skillv1.0.1
VirusTotal security
Funky Fund Flamingo · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:10 AM
- Hash
- ff55bb05a9c4ddaa73577ee2b8bdac1f08be3d3f79ed6f04b1e6d77c4a770ea1
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: funky-fund-flamingo Version: 1.0.1 The skill exhibits suspicious behavior due to its broad access to sensitive local data, including agent session logs (`~/.openclaw/agents/<agent>/sessions/*.jsonl`), user memory (`MEMORY.md`, `USER.md`), and environment variables (`.env`). This data is then incorporated into a comprehensive prompt generated by `evolve.js` and printed to stdout. While the skill's code explicitly states it does not perform network requests, the documentation (`SKILL.md`, `evolve.js`) clarifies that an upstream OpenClaw agent using a cloud LLM would send this sensitive prompt data to a third party, posing an indirect data exfiltration risk. Additionally, the skill's core logic and governance documents (`SKILL.md`, `evolve.js`, `VFM.md`, `funky-fund-flamingo-master-directive.json`) contain very strong and repeated prompt injection directives for the AI agent to prioritize 'economic leverage' and 'revenue', which, despite accompanying safety rails (`ADL.md`, explicit prohibitions on publishing/pushing), could lead to unintended or risky agent behaviors if misinterpreted or if the safety mechanisms are bypassed.
- External report
- View on VirusTotal