Back to skill
Skillv1.0.0
VirusTotal security
claw2immich · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:14 AM
- Hash
- 587a3b00ea36e8e7a7dc735d2e8d488e4718d0e0213aa5ca73612938eec9a46e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: claw2immich Version: 1.0.0 The skill is classified as suspicious due to high-risk capabilities and a potential vulnerability in an example script. The `downloadAsset` and `immich_createsharedlink` tools can generate and expose 'no auth needed' shared links to private photos, which, while a stated feature, carries inherent data exposure risks. Furthermore, the `examples/get-photo-urls.sh` script demonstrates direct `curl` download of original assets using a user-provided `IMMICH_SERVER` URL, presenting a potential Server-Side Request Forgery (SSRF) or arbitrary file download vulnerability if an agent were to execute this script with untrusted input. No clear evidence of intentional malicious behavior (e.g., credential theft, backdoor installation, or exfiltration to an attacker-controlled C2) was found within the skill bundle itself, but these capabilities represent significant security risks.
- External report
- View on VirusTotal