Back to skill
Skillv2.0.0
VirusTotal security
BizyAir GPT_IMAGE_2 API 出图 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 7:21 AM
- Hash
- f03f3b16c7b637a4a595d3e3ed5a935b7688d8ae09d314b83b100e547aa4a87f
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: bozo-aigc Version: 2.0.0 The skill bundle provides legitimate AI image generation functionality via the BizyAir API, but the implementation contains a significant command injection vulnerability. In both `scripts/text-to-image.sh` and `scripts/image-to-image.sh`, user-provided prompts and URLs are expanded directly inside shell strings and heredocs (e.g., `"$PROMPT"`), allowing for arbitrary code execution if a prompt contains subshell syntax like `$(command)`. While there is no evidence of intentional malice or data exfiltration, the lack of input sanitization poses a high security risk to the environment where the agent operates.
- External report
- View on VirusTotal