Back to skill
Skillv3.5.3
VirusTotal security
Aicoin Freqtrade · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:56 AM
- Hash
- 3146bc05bd51682431f8bfd4b63f6ea44413210f8cb5cac011179183906675e2
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: aicoin-freqtrade Version: 3.5.3 The skill bundle provides a comprehensive environment for deploying and managing Freqtrade trading bots, but it contains significant security vulnerabilities. Specifically, `scripts/ft-deploy.mjs` is vulnerable to shell injection in the `backtest`, `hyperopt`, and `download_data` actions because user-provided parameters such as `pairs` and `timerange` are concatenated directly into shell commands executed via `execSync` without sanitization. Additionally, the deployment script uses a high-risk `curl | sh` pattern to install the `uv` Python manager. While the logic appears aligned with its stated purpose of quantitative trading and lacks clear evidence of intentional malice, these flaws represent a significant attack surface for prompt injection against the AI agent.
- External report
- View on VirusTotal