Back to skill
Skillv1.0.1
VirusTotal security
Imsg Media · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:44 AM
- Hash
- e8783bb4e9fe7dfc3d6802bbc0d8f2f28e07d69cfbfb6c0f437dddc4d53a34c5
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: imsg-media Version: 1.0.1 The skill is classified as suspicious due to a significant shell injection vulnerability risk, amplified by its requirement for Full Disk Access. The `SKILL.md` instructs the OpenClaw agent to execute shell commands (e.g., `python3 scripts/imsg_voice_transcribe.py fetch --identifier "sender@example.com"` and `sips -s format png "input.heic" --out "output.png"`) where arguments like `identifier` and attachment file paths (`input.heic`) are derived from untrusted external sources (iMessage sender, attachment filenames). If the OpenClaw agent does not properly sanitize or escape these inputs before executing the commands, an attacker could inject arbitrary shell commands.
- External report
- View on VirusTotal