Back to skill
Skillv1.0.6
VirusTotal security
WQBuddy · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 26, 2026, 5:11 PM
- Hash
- b503bae36e604900fea30cdb4c0b1ad3b7d3d134600ce1dffea9e2a54da5d160
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wqbuddy Version: 1.0.6 The wq-buddy skill bundle is designed to interact with the WorldQuant BRAIN platform, but it requires storing raw usernames and passwords in a local configuration file (~/.wq-buddy/config.json) because the platform lacks OAuth/API key support. While this behavior is documented and justified by the tool's purpose, the storage of plaintext credentials and the requirement to modify the global OpenClaw configuration (~/.openclaw/openclaw.json) represent significant security vulnerabilities. No evidence of intentional data exfiltration or malicious intent was found, but the high-risk credential handling and filesystem permissions align with the 'suspicious' classification.
- External report
- View on VirusTotal