Back to skill
Skillv1.1.0
VirusTotal security
WaveSpeed AI · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:14 AM
- Hash
- 323cda5a8a12f432a8001904c880faeb1b1401c107a38174712005cd9d78bc7d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wavespeed Version: 1.1.0 The skill is classified as suspicious due to critical vulnerabilities in `scripts/wavespeed.js`. The `download` function allows downloading files over unencrypted HTTP if the URL starts with `http://` or if an HTTPS URL redirects to HTTP, exposing the agent to MITM attacks. Additionally, the script is vulnerable to path traversal, as the `--output` argument is used directly to construct file paths for `fs.createWriteStream` without sanitization, potentially allowing an attacker to write files to arbitrary locations on the filesystem (e.g., `../../../tmp/malicious.sh`). There is no evidence of intentional malicious behavior like data exfiltration or backdoor installation, but these vulnerabilities pose a significant risk.
- External report
- View on VirusTotal