Back to skill
Skillv1.0.0
VirusTotal security
Humanize Image · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:25 AM
- Hash
- 244a9954984104ec2fa3b848d75f1ba6978fdf1fdb6230a9927f573e0441c211
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: humanize-image Version: 1.0.0 The skill's stated purpose of de-fingerprinting AI images is legitimate, and the `SKILL.md` and `README.md` files do not contain prompt injection attempts. However, the `scripts/deai.sh` file is vulnerable to shell injection. It directly passes user-controlled input file paths (`$1`, `$2`) to `magick` and `exiftool` without sufficient sanitization. A malicious actor could craft a filename (e.g., starting with `-` or containing shell metacharacters) that could be interpreted as arbitrary commands or options by the underlying tools, potentially leading to remote code execution or information disclosure. While the Python version (`scripts/deai.py`) mitigates this by using `subprocess.run` with a list of arguments (avoiding shell interpretation), the Bash script's vulnerability makes the skill suspicious due to the high risk of exploitation, despite no clear evidence of intentional malicious design by the author.
- External report
- View on VirusTotal