Skillv1.7.0

VirusTotal security

Astock Data · External malware reputation and Code Insight signals for this exact artifact hash.

SuspiciousApr 30, 2026, 4:54 AM

Hash: 076d4b30f34ccaf0f4898a0ca19ea6f07a2c2a3d6650742f39b675577fc27544
Source: palm
Verdict: suspicious
Code Insight: Type: OpenClaw Skill Name: astock-data Version: 1.7.0 The skill is classified as suspicious due to two main indicators: the presence of a hardcoded API token in `scripts/astock_query.py` and an unusual `sys.path.insert` statement in the same file. While the hardcoded token is explicitly described as a 'shared free trial token' in `SKILL.md` and appears intended for convenience rather than malice, exposing any API key in plain text is a security anti-pattern and a vulnerability. The `sys.path.insert` line, which attempts to add a specific, hardcoded virtual environment path (`~/china-stock-skill/qgdata_env/lib/python3.11/site-packages`) to the Python path, is an unusual practice that could potentially be exploited in specific local privilege escalation scenarios if the target path were writable by an attacker. However, there is no evidence of intentional malicious behavior such as data exfiltration, unauthorized command execution, or malicious prompt injection against the agent; the skill's overall purpose aligns with providing stock market data and promoting a legitimate API service.
External report: View on VirusTotal