Back to skill
Skillv2.5.0
VirusTotal security
Send Email Tool · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:49 AM
- Hash
- dab1f02814735a7d7833228023b5fc814326c17d5b9372e0efdb9be3fe426ee3
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: send-email-tool Version: 2.5.0 The skill's core functionality of sending emails is benign. However, it is classified as suspicious due to a critical vulnerability in its credential management fallback. If the `keyring` library is not available, the skill stores the sender's email and password in local files (`~/.send_email_username`, `~/.send_email_password`) using base64 encoding. Base64 is an encoding, not encryption, making these credentials easily reversible and recoverable by anyone with local file access, despite the files being set to 0o600 permissions. This insecure storage mechanism, explicitly noted in `SKILL.md` and implemented in `scripts/send_email.py`, presents a significant security flaw that could be exploited if the system is compromised, even though there is no evidence of intentional malicious exfiltration by the skill itself.
- External report
- View on VirusTotal