Back to skill
Skillv0.0.1
VirusTotal security
openclaw-visual · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:46 AM
- Hash
- 1e8c9ccc5d92e36e550adad12cea36d5844bd606eb06c35f81cfecaad190d49b
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: openclaw-visual Version: 0.0.1 This skill is classified as suspicious due to several critical security vulnerabilities. The `scripts/generate-image.js` script, which is central to the skill's functionality, explicitly launches headless browsers (Puppeteer/Playwright) with `--no-sandbox` and `--disable-setuid-sandbox` flags. This disables a fundamental security isolation mechanism, making the host system vulnerable to any exploits within the browser engine. Additionally, the script's reliance on command-line arguments for `--content` and `--output` creates a potential shell injection vector if the AI agent constructs these arguments from unsanitized user input. The skill also allows fetching images from user-provided `IMAGE_URL`s, posing a risk of Server-Side Request Forgery (SSRF). Finally, the `puppeteer` dependency (version 23.2.2) is marked as deprecated, indicating potential unpatched vulnerabilities in the browser itself. These issues, while not direct evidence of malicious intent within the skill's code, create a highly insecure environment.
- External report
- View on VirusTotal