Back to skill
Skillv0.1.0
VirusTotal security
Storyclaw Alpaca Trading · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 6:14 AM
- Hash
- 2d8b6084cff5108a8bf73e911d78c7793035f01460770ef4144315252bd39a7d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: storyclaw-alpaca-trading Version: 0.1.0 The skill bundle contains a path traversal vulnerability in `scripts/config-loader.js`, where the `USER_ID` or `TELEGRAM_USER_ID` environment variable is used to construct a file path (`credentials/{USER_ID}.json`) without sanitization. Additionally, `scripts/aggressive-strategy.js` utilizes `execSync` to execute shell commands constructed from script logic, which is a high-risk pattern. While the bundle appears to be a functional Alpaca trading tool, these vulnerabilities could be exploited to read unauthorized files or execute arbitrary code if environment variables are manipulated.
- External report
- View on VirusTotal