Shell command execution detected (child_process).
Critical
- Code
- suspicious.dangerous_exec
- Location
- hooks/gateway-restart-protection/handler.js:57
Security audit
通义万相 2.5D 横幅插画
Security checks across malware telemetry and agentic risk
Overview
The image-generation skill itself is straightforward, but the published package appears to include an unrelated personal OpenClaw workspace with secrets, hooks, memory, projects, and other skills.
Do not install this as-is. The core image generator appears user-directed, but the package should be republished with only SKILL.md, the required image-generation script, and non-secret metadata. The publisher should remove unrelated workspace files, nested skills/hooks, logs/memory/project data, and rotate any exposed API keys, Feishu secrets, or tenant tokens before republishing.
SkillSpector
By NVIDIA
SkillSpector could not complete.
VirusTotal
41/41 vendors flagged this skill as clean.
Static analysis
Detected: suspicious.dangerous_exec, suspicious.dynamic_code_execution, suspicious.env_credential_access (+2 more)
Shell command execution detected (child_process).
Critical
- Code
- suspicious.dangerous_exec
- Location
- scripts/autonomous-thinking.js:193
Shell command execution detected (child_process).
Critical
- Code
- suspicious.dangerous_exec
- Location
- scripts/triple-line-sync.js:49
Shell command execution detected (child_process).
Critical
- Code
- suspicious.dangerous_exec
- Location
- skills/send-html-to-feishu/scripts/run.js:41
Dynamic code execution detected.
Critical
- Code
- suspicious.dynamic_code_execution
- Location
- skills/skill-vetting/scripts/scan.py:22
Environment variable access combined with network send.
Critical
- Code
- suspicious.env_credential_access
- Location
- skills/send-html-to-feishu/scripts/send-to-feishu.js:11
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- memory/2026-03-08.md:1773
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- memory/2026-03-14.md:55
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- reports/aliyun-embedding-analysis.md:12
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- scripts/debug-search-step.py:21
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- scripts/vectorize-and-store.py:19
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- scripts/vectorize-optimized.py:24
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- search_knowledge.py:22
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- skills/rag_search/TASK_COMPLETION_REPORT.md:178
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- skills/tts-automation/SKILL.md:96
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- test_semantic_search.py:16
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- test_vectorization.py:12
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- test-embedding-api.py:4
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- test-embedding-compare.py:16
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- test-vector-knowledge-flow.py:17
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- vector_query - 副本.py:22
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- vector_query.py:22
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- vectorize_all - 副本.py:27
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- vectorize_all.py:27
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- vectorize_content.py:25
File appears to expose a hardcoded API secret or token.
Critical
- Code
- suspicious.exposed_secret_literal
- Location
- vectorize_knowledge.py:27
Prompt-injection style instruction pattern detected.
Warn
- Code
- suspicious.prompt_injection_instructions
- Location
- skills/skill-vetting/references/patterns.md:108