Back to skill
Skillv1.0.3
VirusTotal security
Wavespeed Nanobanana2 · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:11 AM
- Hash
- d0571656a76d8c15d9d86205bd4fdd3c6e475dbbd7c95e6d0e5979e49bddfb5e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: wavespeed-nanobanana2 Version: 1.0.3 The skill bundle contains a hardcoded API key in a test block within `index.js`, which constitutes a significant credential leak vulnerability. Additionally, `index.js` includes an Immediately Invoked Function Expression (IIFE) that executes a network request to `api.wavespeed.ai` automatically upon module load, which is unexpected behavior for a skill. Furthermore, the `skill.json` file is provided as a shell command (`echo ... > path`) rather than raw JSON, which could be used to trick an automated agent into executing unauthorized filesystem operations.
- External report
- View on VirusTotal