Back to skill
Skillv1.0.0
VirusTotal security
yahoo-finance-bist · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:51 AM
- Hash
- 77cf2bfec3a51f2ed0118da6b1f4c56af57d81e04a25390bd6fbe81dcf3a111e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: yahoo-finance-bist Version: 1.0.0 The skill bundle is classified as suspicious due to two significant vulnerabilities. The `investing_excel_exporter.py` script is vulnerable to path traversal, allowing an attacker to write CSV files to arbitrary locations on the filesystem by crafting the `symbol` argument. Additionally, the `investing_trade_logger.py` script is vulnerable to Stored Cross-Site Scripting (XSS) in its generated HTML report (`Nikos_Portfoy_Analiz.html`), as user-controlled `symbol` and `name` values are embedded directly into JavaScript arrays and HTML without proper escaping. While the `SKILL.md` uses prompt injection techniques to control the AI agent's behavior, its intent appears to be to enforce factual data reporting rather than malicious action. All network calls are legitimately directed to Yahoo Finance API.
- External report
- View on VirusTotal