Back to skill
Skillv1.0.2
VirusTotal security
Sideload Avatar Generator · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:57 AM
- Hash
- 3b7a3892f7b4c3e80cb7b343171d017b708f6a6b72e277cc39625c513e3a6798
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: sideload-avatar-generator Version: 1.0.2 The skill is classified as suspicious due to a local file read vulnerability in `scripts/generate.js`. The script directly uses the `--image` argument to read local files (`readFileSync(imageInput)`) and base64-encodes their content for upload to `https://sideload.gg`. While intended for image files, this lacks input sanitization, allowing an attacker or a prompt-injected agent to potentially specify arbitrary file paths (e.g., `/etc/passwd`, `~/.ssh/id_rsa`), leading to local file disclosure to the third-party Sideload.gg service. There is no evidence of intentional malicious behavior, but this constitutes a significant vulnerability.
- External report
- View on VirusTotal