Sideload Avatar Generator

Generate 3D avatars (VRM/GLB/MML) from text or images via Sideload.gg, paying $2 USDC per generation using any x402 wallet on Base.

This package appears to implement exactly what it claims — a Node.js CLI that posts prompts/images to sideload.gg and pays via an x402 token — but take these precautions before running it: 1) Treat the x402 token as a secret. Avoid passing it on the command line if others share the machine or if you care about it appearing in process listings or shell history; prefer a safer mechanism (stdin, ephemeral file, or an environment variable in a secure session) if possible. 2) Only upload images you intend to share: if you pass a local file path the script will base64-embed and send the file to the remote service (do not point it at sensitive files). 3) Verify the service domains (sideload.gg, aimml.sideload.gg, aimml.onrender.com) and, if concerned, inspect the included scripts (generate.js/status.js) yourself before running. 4) Ensure you have Node.js 18+ (the scripts use global fetch). 5) If you need higher assurance, confirm the upstream repository and release provenance (package.json points to a GitHub repo but the skill's homepage is missing in registry metadata).

Type: OpenClaw Skill Name: sideload-avatar-generator Version: 1.0.2 The skill is classified as suspicious due to a local file read vulnerability in `scripts/generate.js`. The script directly uses the `--image` argument to read local files (`readFileSync(imageInput)`) and base64-encodes their content for upload to `https://sideload.gg`. While intended for image files, this lacks input sanitization, allowing an attacker or a prompt-injected agent to potentially specify arbitrary file paths (e.g., `/etc/passwd`, `~/.ssh/id_rsa`), leading to local file disclosure to the third-party Sideload.gg service. There is no evidence of intentional malicious behavior, but this constitutes a significant vulnerability.