Back to skill
Skillv1.1.0
VirusTotal security
Grok Imagine · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 4:51 AM
- Hash
- 160af142682faad5c95b94b217dced4be76d4da67c322c84236af942c4fa283a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: grok-imagine-extended Version: 1.1.0 The skill is classified as suspicious primarily due to a critical path traversal vulnerability in `scripts/generate_image.py`. The `download_file` function writes to `output_path` which is directly derived from the user-controlled `--filename` argument without sanitization, allowing an attacker to write files to arbitrary locations (e.g., `../../../../tmp/malicious.txt`). Additionally, the script attempts to load the `XAI_API_KEY` from `~/keys.txt`, which, while intended for convenience, expands the attack surface for API key compromise if an attacker can manipulate that file via prompt injection.
- External report
- View on VirusTotal