Back to skill
Skillv1.0.2
VirusTotal security
Cat Selfie · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:30 AM
- Hash
- 24b425ecb74e3867088455acacd58772b074df4b20330deafd7350c427ee7182
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: cat-selfie Version: 1.0.2 The skill contains a shell injection vulnerability in `scripts/selfie.js` where it uses `execSync` to execute a command constructed by concatenating strings, including a 'prompt' retrieved from `config/scenes.json`. While the current prompts are benign and the script validates the user-provided scene name against a whitelist, the lack of proper escaping or use of an argument array in `execSync` is a high-risk coding practice. The skill also relies on a hardcoded relative path to a separate skill (`volcengine-image-generate`), which could lead to execution failures or unexpected behavior if the environment is not configured exactly as expected.
- External report
- View on VirusTotal