Back to skill
Skillv1.0.0
VirusTotal security
email-reporter · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewApr 30, 2026, 5:43 AM
- Hash
- fce97412da74ea86e99d387dd91bcbfb5b2fb6bf280d7eb25cd532482670941e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: email-reporter Version: 1.0.0 The skill contains a shell injection vulnerability in `send_attachment.py` within the `send_via_msmtp` function, where the `to_addr` variable is directly interpolated into a shell command string (`subprocess.run(..., shell=True)`). While the tool's primary purpose of sending email reports appears legitimate, this flaw could be exploited for arbitrary command execution if the recipient field is controlled by an attacker. No clear evidence of intentional malice, data exfiltration, or prompt injection was found.
- External report
- View on VirusTotal