Back to skill
Skillv1.1.0
VirusTotal security
NOFX AI Trading · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:48 AM
- Hash
- ac3cbd676c1289a92ab98e008a79e8c4ede46b56d6a5242dbbfc022a967025f2
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: nofx Version: 1.1.0 The skill is classified as suspicious due to significant vulnerabilities, specifically the risk of shell injection and API key exposure. The `scripts/nofx-api.sh` script directly embeds unsanitized arguments (e.g., `symbol`, `limit`, `duration`) into `curl` commands, creating a potential remote code execution (RCE) vulnerability if an attacker can control these inputs. Additionally, the script passes the API key as a URL query parameter (`?auth=$API_KEY`), which is less secure than using an Authorization header and increases the risk of the key being logged or exposed. While the skill's stated purpose is legitimate and there's no evidence of intentional malice, these critical vulnerabilities warrant a 'suspicious' classification.
- External report
- View on VirusTotal