Back to skill
Skillv1.0.2
VirusTotal security
Skulk Email · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 5:49 AM
- Hash
- ba1455190197db0acb28c90a39173cc06b315e4b73900957b93c75ca9996954c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: skulk-email Version: 1.0.2 The skill provides legitimate email functionality via IMAP and DreamHost Roundcube webmail automation to bypass SMTP blocks. However, it contains a security vulnerability in `scripts/skulk-email.sh` where sensitive email credentials (passwords) are passed as plaintext command-line arguments to a Python subprocess, making them visible to other users on the system via the process list. It also stores session cookies in the shared `/tmp` directory. While these appear to be unintentional design flaws rather than malicious intent, they represent a risk to credential confidentiality.
- External report
- View on VirusTotal