Skillv1.0.0

VirusTotal security

tradr · External malware reputation and Code Insight signals for this exact artifact hash.

ReviewMay 1, 2026, 3:58 AM

Hash: 585967b06085aa0bd0bf60ea78d234e1005e7becbe188e0d046e013220687ba4
Source: palm
Verdict: suspicious
Code Insight: Type: OpenClaw Skill Name: tradr Version: 1.0.0 The skill is classified as suspicious due to several high-risk behaviors, primarily the potential for privilege escalation and risky inter-skill communication. The `scripts/setup.sh` script installs `scripts/exit-manager.py` as a systemd service, which can be configured to run with root privileges (`sudo systemctl start`). This significantly increases the impact of any potential vulnerability within `exit-manager.py`. Furthermore, both `scripts/tradr-enter.py` and `scripts/exit-manager.py` execute the `bankr.sh` dependency with environment variables `BANKR_ALLOW_TRADE=1` and `BANKR_ALLOW_SELL=1`, which bypass internal guards in the `bankr` skill. While intended for mechanical pipeline operation, this design choice could be a vulnerability if `bankr.sh` expects more stringent checks from its callers. Finally, `scripts/notify-telegram.sh` (called by the main scripts) exfiltrates detailed trade information (buys, sells, P&L, errors) to Telegram, loading API tokens from `.env.secrets`. While this is a stated feature for notifications, it represents external data transmission of operational data.
External report: View on VirusTotal