Back to skill
Skillv1.0.0
VirusTotal security
Etf Assistant 1.0.1 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 3:57 AM
- Hash
- 51e5abd086256ac50ed675a7a0f00870e94e01317c083b3700fe725d27ed6609
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: etf-assistant-1-0-1 Version: 1.0.0 The `etf-assistant.sh` script contains multiple shell injection vulnerabilities. User inputs for ETF codes in `cmd_price` and `cmd_compare` are directly interpolated into `curl` commands, and the search keyword in `cmd_search` is directly interpolated into a `grep` command, without proper sanitization. This allows for potential remote code execution if an attacker provides specially crafted input. While these are critical vulnerabilities, there is no clear evidence of intentional malicious behavior (e.g., data exfiltration to unauthorized endpoints, backdoor installation) by the script itself, thus classifying it as suspicious rather than malicious.
- External report
- View on VirusTotal