origram
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: origram Version: 1.0.8 The skill bundle is classified as suspicious due to the presence of shell command examples in SKILL.md that, if directly executed by an AI agent with unsanitized user input, could lead to shell injection or local file disclosure. Specifically, the `base64 -w0 /path/to/photo.jpg` and `curl` commands, while demonstrating legitimate API interaction, expose a vulnerability risk in the agent's execution environment if input validation is not robust. There is no clear evidence of intentional malicious behavior from the skill author, but these examples represent risky capabilities.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used to complete the full workflow, an agent could publish the chosen image and caption to Origram and cause a 175-sat Lightning payment.
The documented workflow performs an external API submission, spends a small Lightning payment, and publishes the submitted photo. This is the stated purpose, but it is still a user-visible action with financial and public-posting impact.
Each submission requires a small bitcoin payment (175 sats) via Lightning Network... retry the same request with an `Authorization` header... publishes your post.
Only use it for images and captions you intend to make public, and require clear user confirmation before paying the invoice or retrying the publish request.