Back to skill
Skillv1.0.0
VirusTotal security
AI图片生成 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:17 AM
- Hash
- 5ce2b1357c54137a7c2356d33c670375d476d40f898ced0887ca82ed05ebb72b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: gen-image Version: 1.0.0 The skill is vulnerable to shell injection in `scripts/generate.sh` because user-provided variables such as `$PROMPT`, `$MODEL`, and `$SIZE` are directly expanded within a double-quoted string passed to `curl`. This allows for arbitrary command execution if a user provides a prompt containing shell metacharacters (e.g., backticks or `$(...)`). While the skill's functionality for image generation via the SiliconFlow API (api.siliconflow.cn) appears legitimate, the lack of input sanitization poses a significant security risk.
- External report
- View on VirusTotal