Back to skill
Skillv1.0.0
VirusTotal security
WaveSpeedAI Wan 2.6 Video Generation · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:52 AM
- Hash
- db74cf80e5d6bcf8f774872e457993c63669d46225964201dbc196510371c27d
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wavespeed-wan-26 Version: 1.0.0 The skill is classified as suspicious due to the presence of high-risk capabilities that could be exploited via prompt injection, despite the inclusion of security warnings. Specifically, the `wavespeed.upload()` function demonstrated in `SKILL.md` allows the agent to upload local files, which could be abused to exfiltrate sensitive data (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) if a malicious prompt instructs the agent to upload arbitrary file paths. Additionally, the `image` and `audio` parameters accept external URLs, introducing a potential Server-Side Request Forgery (SSRF) vulnerability if the agent is prompted to fetch untrusted or internal network resources.
- External report
- View on VirusTotal