Back to skill
Skillv1.0.0
VirusTotal security
design pick2 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:51 AM
- Hash
- 58ee820568d6b4f709db5b0416b4d2646a545eaa90e7fbc5a05b50d33367b65e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: design-pick2 Version: 1.0.0 The skill contains a critical shell injection vulnerability in `scripts/generate_image.py` due to the use of `subprocess.run(shell=True)` with unsanitized user input (the prompt) inside a `curl` command. Additionally, this script contains hardcoded Cloudflare API credentials (ACCOUNT_ID and TOKEN), which is a significant security risk. While these flaws appear to be unintentional vulnerabilities rather than active malware, they allow for arbitrary command execution and credential abuse.
- External report
- View on VirusTotal