Back to skill
Skillv1.16.0
VirusTotal security
Weather Trader · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 7, 2026, 5:41 PM
- Hash
- b614f7d0c705c5ac62a516bd9a3a300c536ebfd85678b5ddd07f66fdac8b7c7e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: yh-polymarket-weather-trader Version: 1.16.0 The skill bundle is designed for weather-based trading on Polymarket but contains logic that violates skill isolation and performs non-standard file operations. Specifically, 'trade_performance.py' and 'weather_trader.py' attempt to access files and modules in parent and sibling directories ('Path(__file__).parent.parent'), which allows the skill to read data (such as 'trades.jsonl') from other installed skills. Additionally, 'weather_trader.py' writes detailed trade logs to a hidden directory in the user's home folder ('~/.hermes/'), which is an unusual and potentially stealthy location for data persistence. While these features are presented as 'Smart Money' signal integration and cross-skill reporting, the intentional directory traversal and out-of-sandbox file writing constitute significant security risks in an agentic environment.
- External report
- View on VirusTotal