Back to skill
Skillv1.3.0
VirusTotal security
one-mail · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMay 1, 2026, 6:05 AM
- Hash
- cba65525ce8ec87c8d77661a9041deab0b188deb04a40d8ccb7119b4803419ba
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: one-mail Version: 1.3.0 The skill bundle is a functional multi-account email CLI, but it contains a significant shell injection vulnerability in 'scripts/lib/gmail.sh' where the 'eval' command is used on unsanitized user input (search queries). It also handles highly sensitive data, including email passwords and OAuth refresh tokens, storing them in '~/.onemail/credentials.json'. While it attempts to secure these with 'chmod 600' and the logic appears consistent with its stated purpose, the combination of sensitive credential handling and RCE-prone command construction warrants a suspicious classification.
- External report
- View on VirusTotal