Back to plugin

Security audit

Openclaw Channel Imap

Security checks across malware telemetry and agentic risk

Overview

This appears to be what it claims: an IMAP/SMTP email channel plugin, though it runs real code and will use whatever mailbox credentials you configure.

Before installing, understand that this plugin gives OpenClaw access to read a configured mailbox and send replies through the configured SMTP account. That matches its purpose, but it is powerful: use a dedicated mailbox, prefer a restricted secret reference such as `pass` entries for only the mail passwords, keep the allowlist/rate-limit/authentication checks enabled where possible, and avoid giving the mail-facing agent broad tools or sensitive memory. Also verify the npm package metadata/scripts if you install it manually, because the registry entry has no explicit install spec even though the package contains executable code.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/secrets/pass-resolver.js:6
Evidence
* argv[] by spawn(), but tight input validation is a cheap second line of

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/secrets/pass-resolver.ts:8
Evidence
* argv[] by spawn(), but tight input validation is a cheap second line of

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/connection/imap-connection.js:27
Evidence
password: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/gateway/resolve-account.js:28
Evidence
password: [REDACTED](imapRaw.password, `imap.password for account ${accountId}`),

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/smtp/sent-folder-writer.js:29
Evidence
password: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/connection/imap-connection.ts:52
Evidence
password: [REDACTED],

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/gateway/resolve-account.ts:35
Evidence
password: [REDACTED](imapRaw.password, `imap.password for account ${accountId}`),

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/smtp/sent-folder-writer.ts:54
Evidence
password: [REDACTED],