Back to skill
Skillv1.0.0
VirusTotal security
openfin-enable-banking · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:42 AM
- Hash
- 471aa5599d6a656d8ba9b3c9e32afda95c6967c44cffedfab8740f2e224c19d3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: openfin-enable-banking Version: 1.0.0 The skill bundle provides a functional PSD2 banking integration but contains a path traversal vulnerability in `scripts/callback_server.py`. The `state` query parameter from the OAuth callback is used without sanitization to construct a file path (`PENDING_DIR / f'{state}.json'`), which could allow an attacker to write JSON files to arbitrary locations on the filesystem. Furthermore, the callback server binds to `0.0.0.0`, making it accessible over the network, and uses `subprocess.run` to execute `openssl` for certificate generation. While these appear to be unintentional security flaws rather than malicious intent, they represent a significant risk surface.
- External report
- View on VirusTotal