Back to skill
Skillv1.0.0
VirusTotal security
finstep-tools · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:52 AM
- Hash
- bc723fd7f804f7cdb006a3ca859f9db73bd81640ba1028235ab820c74b82e5a9
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: finstep-tools Version: 1.0.0 The skill bundle provides a wrapper for financial data APIs from 'finstep.cn', but all shell scripts (e.g., company.sh, quote.sh, macro.sh) are highly vulnerable to JSON injection. They concatenate unsanitized shell variables directly into JSON-RPC payloads within curl commands (e.g., using "${KEYWORD}" inside a JSON string). This allows a malicious user or a prompt-injected agent to manipulate the API request structure. While the intent appears to be a legitimate financial service, the lack of input sanitization in a tool designed for AI execution poses a significant risk.
- External report
- View on VirusTotal