Back to skill
Skillv1.0.2
VirusTotal security
Grok Imagine Image Pro · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:54 AM
- Hash
- 76c3285bee1785a5a02a11ededaaa686b3e8ebd20df19a017da363ca8ce4dec4
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: grok-imagine-image-pro Version: 1.0.2 The skill is classified as suspicious due to the potential for Local File Inclusion (LFI) and subsequent data exfiltration. The 'Edit from local file' command in SKILL.md allows reading an arbitrary local file (via `<SOURCE_PATH>`), base64 encoding its content, and sending it to the external xAI API endpoint (`https://api.x.ai/v1/images/generations`). While the skill's stated purpose is to process image files, this mechanism could be abused by a malicious user or a prompt-injected agent to exfiltrate sensitive non-image files from the local system to an external service. Additionally, the direct insertion of user prompts into JSON payloads for the `curl` commands presents a prompt injection vulnerability against the xAI API if the agent does not properly sanitize user input.
- External report
- View on VirusTotal