Back to skill
Skillv1.0.0
VirusTotal security
Trading Brain · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:49 AM
- Hash
- 38d5156d759be0a7b24b18bf111d20707d32ae1d94640e99f36a2fe6dfe16d83
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: trading-brain Version: 1.0.0 The `SKILL.md` file instructs the AI agent to execute a shell script (`~/clawd/integrations/serper/search.sh`) with a dynamic 'query' parameter. This direct command execution instruction creates a significant shell injection vulnerability if the agent or the `search.sh` script does not properly sanitize the 'query' input, potentially leading to arbitrary command execution. While other file system operations are present, they appear to be for legitimate configuration and logging within the agent's operational directories, and there is no clear evidence of intentional malicious behavior like data exfiltration or persistence.
- External report
- View on VirusTotal