Back to skill
Skillv1.0.0
VirusTotal security
Cheapest Image · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:17 AM
- Hash
- 108a97252c6fe9365563921d0d50a465ca9276c65cff1a395519224a650f56b9
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: cheapest-image Version: 1.0.0 The skill bundle is classified as suspicious due to a JSON injection vulnerability present in the `references/curl_heredoc.md` fallback script. The agent is instructed to directly replace `<USER_PROMPT>` into a JSON payload within a `curl` heredoc block. If a user provides input containing unescaped double quotes or other JSON-breaking characters, it could lead to the injection of arbitrary JSON fields into the API request to `https://api.evolink.ai/v1`. While this does not directly lead to local system compromise or agent prompt injection, it represents a vulnerability that could be exploited against the Evolink API itself. The primary Python script (`scripts/generate.py`) and the PowerShell fallback (`references/powershell.md`) correctly handle JSON serialization and are not susceptible to this specific vulnerability.
- External report
- View on VirusTotal