Back to skill
Skillv1.0.1
VirusTotal security
Ashare Fast Watcher · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:20 AM
- Hash
- 242981bc1f91d4f2dd3d4d474e08e766e637947c054172f42bfbc6d7be58be1c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: ashare-fast-watcher Version: 1.0.1 The skill bundle contains a command injection vulnerability in daemon.py within the notify_mac function. It uses os.system to execute osascript for macOS notifications using market data fetched from the Tencent API (qt.gtimg.cn) without sanitizing single quotes, which could allow arbitrary code execution if the API response is compromised. While the overall logic in index.py and radar.py aligns with the stated purpose of A-Share market monitoring and uses legitimate libraries like akshare, the insecure implementation of system-level notifications is a high-risk flaw.
- External report
- View on VirusTotal