Back to skill
Skillv1.0.0
VirusTotal security
Hana Image Gen MacOS · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 26, 2026, 9:11 AM
- Hash
- e97547d48f6bdd731ed288c3f94937ae86195b0185f782eda737359b698144ba
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: hana-image-gen-macos Version: 1.0.0 The skill contains a shell injection vulnerability in the `SKILL.md` workflow, which passes the user-controlled `$prompt` variable directly into a shell command (`python3 gen.py "$prompt"`) without sanitization. While the `scripts/gen.py` file appears to be a legitimate implementation for interacting with the OpenRouter API (https://openrouter.ai), the architectural flaw in the workflow allows for potential Command Injection. There is also a functional discrepancy where the workflow attempts to read from `../output.json` while the script only outputs results to stdout.
- External report
- View on VirusTotal