Back to skill
Skillv1.0.1
VirusTotal security
Openclaw Bot Prob Trade · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:11 AM
- Hash
- a60d87916b64b46952ccb4a2e368716685015c2e6474d3bd2382dddd4b6cc0dc
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: openclaw-bot-prob-trade Version: 1.0.1 The skill is designed for autonomous trading and uses external APIs for its functionality. It exhibits a significant vulnerability in `lib/engine.py` (and other strategy files like `lib/strategies/logic_arb.py`, `lib/strategies/weather_arb.py`, `lib/strategies/whale_tracking.py`) where it constructs `sys.path` using the `PROBTRADE_SKILL_PATH` environment variable. An attacker controlling this variable could inject a malicious `api_client.py` module, leading to arbitrary code execution. Additionally, the dynamic loading of strategy modules from `lib/strategies/__init__.py` presents a local file system vulnerability if an attacker can write files to that directory. While these are serious flaws that could enable attacks, there is no direct evidence of intentional malicious behavior such as data exfiltration or unauthorized remote control within the provided code. The external network calls are to legitimate trading and LLM APIs, and API keys are used as intended for authentication.
- External report
- View on VirusTotal