Back to skill
Skillv1.0.0
VirusTotal security
investment-data · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:54 AM
- Hash
- eac74f9c3d4073ba985692263934cb81fe76a4428f43182d7acd64b118daf4c8
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: investment-data Version: 1.0.0 The skill is designed to download and manage financial data, which inherently involves network requests to GitHub and local file system operations (downloading, extracting, writing data files). The `scripts/download_data.py` fetches a `.tar.gz` archive from `github.com/chenditc/investment_data` and extracts it locally. While this functionality is central to the skill's stated purpose, it introduces a supply chain risk: if the upstream GitHub repository were compromised, malicious content could be delivered and executed. Additionally, `scripts/data_client.py` uses `subprocess.run` to execute `scripts/download_data.py`, which, while currently an internal call, represents a risky capability (potential RCE vulnerability) if not carefully controlled or if the target script were compromised. There is no evidence of intentional malicious behavior like data exfiltration or unauthorized remote control.
- External report
- View on VirusTotal