Back to skill
Skillv1.0.0
VirusTotal security
wan-text2image · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 6:32 AM
- Hash
- 7a7aaf6188a3d869312c05c62692bcd600d3817f4573ccfececbb8d1975b7873
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wan-text2image Version: 1.0.0 The script `scripts/t2i.sh` is vulnerable to command injection because it expands shell variables ($PROMPT, $NEGATIVE_PROMPT, $SIZE) directly inside a double-quoted string passed to curl. This allows an attacker to execute arbitrary commands on the host system via crafted input. While the script correctly targets the official Alibaba DashScope API (dashscope.aliyuncs.com) and lacks clear evidence of malicious intent, the critical security flaw warrants a suspicious classification.
- External report
- View on VirusTotal