Back to skill
Skillv1.0.0
VirusTotal security
139mail · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:16 AM
- Hash
- 11491efaf1ee48f0c665a608af66277b151aa7db6743f3cb27f262e6966caf80
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: 139mail-skill Version: 1.0.0 The skill provides legitimate email functionality but contains a security vulnerability in `scripts/email.js` where `rejectUnauthorized: false` is used for IMAP connections, disabling TLS certificate validation and enabling potential man-in-the-middle attacks. Additionally, the script's ability to attach arbitrary local files via the `--attach` argument represents a high-risk capability that could be used for data exfiltration if the agent is targeted by prompt injection, although this behavior is currently aligned with the skill's stated purpose.
- External report
- View on VirusTotal