Back to skill
Skillv1.0.0
VirusTotal security
Cloudflare Image Generation · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:20 AM
- Hash
- 003749788e72684bfc89e8424c272c97ea743ec66c0267099c906f1efa6418f2
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: cloudflare-image-gen Version: 1.0.0 The skill is classified as suspicious due to a critical shell injection vulnerability in `scripts/generate_image.py`. The `subprocess.run(cmd, shell=True)` call embeds user-controlled input (`prompt`) directly into a `curl` command string without proper sanitization, allowing an attacker to execute arbitrary shell commands. Additionally, a Cloudflare API token (`aCTA2KaKa1n3ayFDL-LPmZ-JgUC0HHgA5Msy18Bk`) is hardcoded in both `SKILL.md` and `scripts/generate_image.py`, posing a credential exposure risk.
- External report
- View on VirusTotal