Back to skill
Skillv1.0.0
VirusTotal security
Tradekix · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:48 AM
- Hash
- 00622d6dbeed56387ce634106eea7629b47ff76a80478393f56526322fbd7b7a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: tradekix Version: 1.0.0 The `scripts/tradekix.sh` file contains a significant shell injection vulnerability. Arguments passed to the script, such as `symbols` for the `prices` command or `name`/`email` for `signup`, are directly embedded into `curl` commands or JSON payloads without proper sanitization. This allows for arbitrary command execution (RCE) if a malicious prompt instructs the AI agent to provide crafted input (e.g., `AAPL,TSLA,BTC$(rm -rf /)` as a symbol). While the script's stated purpose is benign, this critical vulnerability makes it suspicious, as it could be exploited by a malicious actor to compromise the host system.
- External report
- View on VirusTotal