Back to skill
Skillv1.0.0
VirusTotal security
Best Image · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 28, 2026, 4:16 AM
- Hash
- 419a1c9ae4e973ffb0a4d13da76bd20ee1fd96b6a1d8597cfa8761b351773309
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: best-image Version: 1.0.0 The skill's core functionality for image generation via the EvoLink API is benign. However, it contains significant vulnerabilities. All three implementations (Python in `scripts/generate.py`, Bash in `references/curl_heredoc.md`, and PowerShell in `references/powershell.md`) are susceptible to path traversal via the user-controlled output filename parameter (`--out`, `<OUTPUT_FILE>`, `$Out`). This could allow a malicious prompt to write files to arbitrary locations on the filesystem. Additionally, the Bash script (`references/curl_heredoc.md`) is vulnerable to JSON injection, as it directly embeds user-provided strings into the JSON payload without proper escaping, potentially allowing manipulation of the API request.
- External report
- View on VirusTotal