Back to skill
Skillv1.0.4
VirusTotal security
Futu-Stock · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:53 AM
- Hash
- 4de0416271eb3cdb781a8778a16d0b918f5caa3294f4230f117705802bbd396e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: futu-stock Version: 1.0.4 The skill is suspicious due to a significant Remote Code Execution (RCE) vulnerability. The `executor.py` script, as documented in `SKILL.md`, attempts to auto-start the `FutuOpenD` executable using `subprocess.Popen` if the `OPEND_PATH` environment variable is set. This allows an attacker to potentially control `OPEND_PATH` via prompt injection against the OpenClaw agent, leading to the execution of arbitrary binaries. While the intent is to start a legitimate application, this mechanism creates a severe security flaw. Additionally, the skill has broad execution capabilities (installing packages) and access to sensitive financial account information, although trading is disabled by default.
- External report
- View on VirusTotal