Back to skill

Security audit

OpenMail

Security checks across malware telemetry and agentic risk

Overview

OpenMail is a disclosed email-integration skill with real external-action and credential risks that users should manage, but the artifacts do not show hidden, deceptive, or purpose-mismatched behavior.

Install only if you want the agent to send and receive email through OpenMail. Use a dedicated API key where possible, restrict the env file permissions, review recipients, links, and attachments before sending, treat inbound messages as untrusted, and enable cron or autonomous replies only with narrow allowlists, low-risk templates, logging, and a clear cleanup plan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill documentation explicitly promotes cron-based polling and autonomous email response behavior, which expands the skill from a simple email interface into a semi-autonomous external-action channel. Because email is an untrusted, externally controlled input source, encouraging automation increases the chance of prompt injection, unintended replies, spam amplification, and actions taken without explicit per-message user approval.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The description is broad enough to trigger this skill for many generic email-related tasks, including signups, support interactions, and human-institution workflows, without clearly defining safety boundaries. Overbroad invocation language can cause an agent to select the skill in contexts involving sensitive identity, privacy, or transactional actions where stricter controls should apply.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill describes fully autonomous email responses based on a sender allowlist, but does not prominently warn about privacy leakage, impersonation risk, accidental commitments, or harmful external actions. Trusting sender identity alone is a weak boundary because trusted accounts can be spoofed or compromised, and email conversations often contain indirect requests that can manipulate an agent into unsafe disclosures or actions.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The setup instructions explicitly tell the agent to persist a user-provided API key in a plaintext env file and source it into the current shell, without warning about storage risks, file permissions, shell history, or alternative secret-handling methods. In an agent setting, this increases the chance of unintended credential exposure through later commands, logs, debugging output, or other skills that can read local files or inherited environment variables.

Session Persistence

Medium
Category
Rogue Agent
Content
> You can get one at **https://console.openmail.sh** — sign up for free,
> then copy your API key from the dashboard.

Wait for the user to provide the key. Once received, write it to the env
file and source it into the current shell:

```bash
Confidence
92% confidence
Finding
write it to the env file and source it into the current shell: ```bash mkdir -p ~/.openclaw printf 'OPENMAIL_API_KEY=%s\n' "<their-key>" > ~/.openclaw/openmail.env source ~/.openclaw/openmail.env ```

VirusTotal

53/53 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.