Back to skill
Skillv1.0.3
VirusTotal security
Gmail Label Manager · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:52 AM
- Hash
- f54fa129d8e2fd67f064d49a968ecd8629bb5b41c9a65f5e44fb56e8afd7d552
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: gmail-label-manager Version: 1.0.3 The `script.sh` contains a critical Remote Code Execution (RCE) vulnerability in the `add_calendar_event` function, where it uses `eval` to execute a command string constructed from potentially unsanitized email content (e.g., subject, description). A malicious email could craft content to inject arbitrary shell commands. Additionally, the script is designed to extract and send a wide range of sensitive personal information (financial, health, family, security alerts) to Telegram, which, while intended functionality, poses a significant data exposure risk if the Telegram bot token or chat ID are compromised.
- External report
- View on VirusTotal