AI Image Generator & Splitter
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: banana-v2 Version: 1.1.0 The skill contains multiple critical security vulnerabilities that could be exploited for Remote Code Execution (RCE) and arbitrary file exfiltration. Specifically, `server/index.js` uses `child_process.exec` on unsanitized user input in the `/api/open-folder` route, allowing for command injection. Additionally, `server/services/upload.js` implements a feature that reads arbitrary local files via `fs.readFileSync` and uploads them to a remote endpoint (platform.acedata.cloud) without path validation. While these functions support the tool's stated purpose of managing images and using the AceData API, the lack of security controls makes the skill highly dangerous if the AI agent is prompted to access sensitive system files or execute malicious commands.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the local service is reachable or misused, files from arbitrary local paths could be sent to the external upload service, not just images the user intentionally selected.
The upload service is not limited to browser-selected images; it accepts local absolute paths, reads the file from disk, and uploads the content to the configured provider using a platform token.
支持多种输入格式... 2. 本地绝对路径 - 从硬盘读取文件上传 ... const buffer = fs.readFileSync(filePath); ... axios.post(config.server.upload_url, formData, { headers: { 'Authorization': `Bearer ${platformToken}`Restrict uploads to explicit user-selected image files, validate MIME type and extension, block arbitrary absolute paths by default, and require a clear confirmation before any local file is uploaded.
A crafted request to the local service may be able to trigger operating-system command execution behavior, especially if command arguments are not safely escaped.
The open-folder endpoint takes a path from the HTTP request and the static scan shows it reaches child_process.exec, creating shell-execution risk around a user-controlled path.
app.post('/api/open-folder', (req, res) => { ... const { path: folderPath } = req.body; ... fs.existsSync(folderPath) ... exec(command, (error) => {Avoid shell exec for opening folders; use safer spawn/execFile APIs with argument arrays, restrict paths to the app’s generated image directory, and require local-only authenticated access.
Provider tokens can remain available to later requests while the server runs and may appear in local logs, increasing the impact of any misuse of the local API.
The service persists a request-supplied platform token in process.env and logs the full upload request object, which may include credentials or file data.
const platformToken = data.platform_token || process.env.PLATFORM_TOKEN; ... if (data.platform_token) { process.env.PLATFORM_TOKEN = data.platform_token; } ... console.log(data)Do not log request bodies containing tokens, store credentials in a scoped secret store instead of process.env, and clear or isolate credentials per user/session.
If attacker-controlled script text can enter the loaded UI content, it could run in the browser context and potentially access locally stored API keys.
The frontend dynamically executes text from the DOM, which is not necessary for the stated image-generation purpose and can magnify any HTML/script injection issue.
eval($(this).text());
Remove eval and load trusted scripts through static files or explicit module imports; avoid executing script text extracted from HTML.
Installing later may pull dependency versions that were not the exact versions reviewed here.
The skill depends on standard Node packages for its purpose, but caret ranges and no included lockfile mean npm install may resolve different package versions over time.
"dependencies": { "axios": "^1.13.6", "cors": "^2.8.6", "express": "^5.2.1", "form-data": "^4.0.0", "sharp": "^0.34.5", "sqlite3": "^6.0.1" }Use a lockfile or pinned dependency versions and install only from trusted package registries.