Back to skill
Skillv1.0.0
VirusTotal security
Cloudinary Cli · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 1:36 AM
- Hash
- 6f9cb64d0207d96a7096c796c587c8c58027f36db78fe12cedca0d4b91078007
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: cloudinary-cli Version: 1.0.0 The skill contains a shell injection vulnerability in 'scripts/upload.sh' due to the insecure method of loading environment variables using 'export $(grep -v '^#' "$ENV_FILE" | xargs)'. Because 'SKILL.md' instructs the AI agent to prompt the user for credentials and write them directly into the '.env' file, a malicious user or prompt could inject shell commands into the configuration values that would execute when the script is run. While the tool's purpose of uploading to Cloudinary is legitimate, the lack of input sanitization in the wrapper scripts poses a security risk.
- External report
- View on VirusTotal