Back to skill
Skillv1.2.0
VirusTotal security
Clawra Selfie (MiniMax) · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:17 AM
- Hash
- 27cde9fa8a4ed94fa68cca6f6bb959dfe0cc2a7a5cad70d19017815cf9d7fc1a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: clawra-selfie-minimax Version: 1.2.0 The skill contains multiple critical shell injection vulnerabilities across `scripts/clawra-selfie-enhanced.sh`, `scripts/clawra-selfie.sh`, and `scripts/clawra-selfie.ts`. User-controlled inputs for image prompts, target channels, and message captions are directly interpolated into shell commands (e.g., `openclaw message send`, `curl`) without proper escaping. This allows for arbitrary command execution on the host system if a malicious user provides specially crafted input. While the skill's stated purpose is benign (image generation and sending), these vulnerabilities could be exploited for unauthorized actions, data exfiltration, or system compromise. The `SKILL.md` also requests broad `Bash(npm:*)` and `Bash(npx:*)` permissions, which could exacerbate the impact of these vulnerabilities.
- External report
- View on VirusTotal