Back to skill
Skillv1.0.2
VirusTotal security
AIML Generate images and videos · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:47 AM
- Hash
- 7eb4797ded5fe8b511f9ef41ba308f673803300284c4f552103c1bfa5383e7a7
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: aiml-image-video Version: 1.0.2 The skill is classified as suspicious due to a critical Local File Read (LFR) vulnerability in `scripts/gen_image.py`. The `--image-url` argument can be used to read arbitrary local files (e.g., `/etc/passwd`, `~/.ssh/id_rsa`), base64 encode their content, and send them to the `api.aimlapi.com` endpoint as part of the image generation payload. While the destination is a legitimate API, this constitutes an information disclosure risk. Additionally, both `scripts/gen_image.py` and `scripts/gen_video.py` allow reading arbitrary files via the `--apikey-file` argument, although this risk is acknowledged in `README.md`.
- External report
- View on VirusTotal