Back to skill
Skillv1.0.0
VirusTotal security
HiFi Advisor · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:42 AM
- Hash
- 99606d8af65f802ef9d536c9698437b8a740922b02ed33daa01bea8a0f996f1a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: hifi-advisor Version: 1.0.0 The skill is classified as suspicious due to the explicit instruction in `SKILL.md` to execute a local Python script (`python3 scripts/price_stats.py listings.csv`) with user-provided data. While the `scripts/price_stats.py` script itself appears benign, performing statistical analysis without malicious code, the direct execution of a shell command with user-derived input (`listings.csv`) represents a significant vulnerability risk. Depending on how the OpenClaw agent handles the creation and naming of `listings.csv` and constructs the shell command, this could lead to path traversal, arbitrary file operations, or even shell injection if the filename or path were user-controllable. This is a risky capability, even without clear malicious intent within the script itself.
- External report
- View on VirusTotal