Back to skill
Skillv1.0.0
VirusTotal security
Civitai Generation API · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:57 AM
- Hash
- 28ef00dfca9bbc088a804635581e82581e37cde56b131bd6c2c02af2341fe904
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: civitai-api-art Version: 1.0.0 The skill is classified as suspicious due to a critical arbitrary file write vulnerability in `scripts/get_illust.js`. The script uses `path.resolve()` for the `--output` argument but does not sanitize the path to prevent writing to arbitrary locations on the filesystem (e.g., `/etc/passwd` or `~/.bashrc`) if a malicious absolute path is provided by the user or a compromised agent. While the stated purpose of generating and saving images is benign, this vulnerability allows for potential system compromise or data destruction.
- External report
- View on VirusTotal