Back to skill
Skillv1.1.1
VirusTotal security
Maliang Image · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:54 AM
- Hash
- a4bb7bbe28daa12334208a195d61845e626eacfe54482c20bd4025ff735349aa
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: maliang-image Version: 1.1.1 The skill is classified as suspicious due to significant vulnerability potential arising from its instructions to the AI agent. Specifically, SKILL.md instructs the agent to read and base64-encode *any* local file path provided by the user, or download from *any* user-provided URL, and then send this content to the `nano.djdog.ai` API as an 'image' payload. While this functionality is necessary for image editing, the lack of explicit guardrails against reading non-image files or accessing internal network resources creates a high risk of Local File Inclusion (LFI) or Server-Side Request Forgery (SSRF) if an attacker can trick the agent via prompt injection into providing sensitive file paths (e.g., `~/.ssh/id_rsa`, `/etc/passwd`) or malicious URLs. This represents a critical vulnerability rather than direct malicious intent from the skill itself.
- External report
- View on VirusTotal