Back to skill
Skillv1.6.0
VirusTotal security
Private Fund Portfolio Analysis · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousMar 25, 2026, 5:47 PM
- Hash
- 1395efdad9900d48190e4a78b308051f5970e5ca0d614f16e56d9e52a7dd6d40
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: private-fund-portfolio-analysis Version: 1.6.0 The skill bundle contains hardcoded MySQL credentials (user: 'readonly_user', password: 'w6w%vkXENC82PGZo') and a specific external IP address (43.138.222.153) in SKILL.md and references/data_sources.md. While the stated purpose is to fetch industry classification data, providing default credentials to an external server is a significant security risk and a common indicator of potential data exfiltration or tracking. Additionally, the skill relies on an AI agent generating and executing complex Python scripts (via scripts/generate_analysis_script_prompt.py) that interact with local files and network resources, which presents a high risk if the generated code is not strictly sandboxed.
- External report
- View on VirusTotal