Back to skill
Skillv1.0.0
VirusTotal security
Images Sender · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:30 AM
- Hash
- da788daad2c4c124f3134e4a80a51299195ae3b2d0bb755dcfdf1940ce0f9d96
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: images-sender Version: 1.0.0 The skill provides a utility to send images via iMessage using AppleScript, but it contains a significant command injection vulnerability. In `scripts/send.py`, the `send_imessage` function constructs an AppleScript string using f-strings with unsanitized input (`send_path` and `formatted_recipient`), which could allow an attacker to execute arbitrary AppleScript or shell commands if a crafted filename or recipient string is provided. While the intent appears functional, the high-risk nature of unsanitized `osascript` execution warrants a suspicious classification.
- External report
- View on VirusTotal