Back to skill
Skillv1.0.0
VirusTotal security
Immich API Connector · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 4:02 AM
- Hash
- d8fed8c3c589640e7be3cd251d56c499993cefbdc7b4a48f3de8a9c6ae33e3a6
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: immich-api Version: 1.0.0 The skill bundle is classified as suspicious due to a potential path traversal vulnerability in `scripts/download_album.py`. The script constructs file paths for downloaded assets using `album_name` and `originalFileName` values retrieved directly from the Immich API response. If a malicious or compromised Immich server provides filenames containing path traversal sequences (e.g., `../../etc/passwd`), the script could write files outside the intended output directory, leading to arbitrary file write on the agent's system. There is no evidence of intentional malicious behavior, data exfiltration, or prompt injection attempts in SKILL.md.
- External report
- View on VirusTotal