Skillv1.0.0

VirusTotal security

Trading Quant · External malware reputation and Code Insight signals for this exact artifact hash.

ReviewApr 30, 2026, 4:53 AM

Hash: 5c10caf02889f092039b020e356c40a55c54501ff28f286f8a8faa0d38592eee
Source: palm
Verdict: suspicious
Code Insight: Type: OpenClaw Skill Name: trading-quant Version: 1.0.0 The skill is classified as suspicious due to its extensive reliance on numerous third-party Python libraries (e.g., `akshare`, `yfinance`, `pytdx`, `baostock`, `transformers`) and frequent network calls to various external financial data APIs. While these actions are for the stated purpose of financial data analysis, they introduce a significant supply chain risk and a broad attack surface. Specifically, the `transformers` library downloads large ML models from HuggingFace, and `pytdx` connects to a hardcoded external IP address (`119.147.212.81:7709`). Additionally, the skill uses `/tmp` for IPC sockets and temporary caches (`/tmp/trading_quant_persistent.sock`, `/tmp/quant_industry_cache.json`), and modifies `sys.path` to load internal modules, which, while common for local service management and modularity, could present local attack vectors in a less secure environment. No explicit malicious intent (e.g., data exfiltration to unknown domains, persistence mechanisms, or prompt injection attempts) was found in the code or documentation.
External report: View on VirusTotal