Back to skill
Skillv0.5.5
VirusTotal security
Horizon SDK · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:15 AM
- Hash
- f3282b1c35058a64e504af7dc15d4e599afa251f865858763868ac70c5e4ede5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: horizon-trader Version: 0.5.5 The skill bundle demonstrates robust input validation and strong Server-Side Request Forgery (SSRF) prevention for network calls in `scripts/horizon.py`. However, the `tearsheet` command in `scripts/horizon.py` is vulnerable to Local File Inclusion (LFI). It directly opens a user-provided file path (`equity_csv_path`) without any sanitization or restriction, which could allow a malicious prompt to instruct the agent to read arbitrary files on the system (e.g., `/etc/passwd`, `~/.ssh/id_rsa`). This is a critical vulnerability.
- External report
- View on VirusTotal