Back to skill
Skillv0.1.5
VirusTotal security
OctoMail · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:49 AM
- Hash
- f1ee71c76b9c270215348e122ab0ed2313e77907e7e54e867ef33ace40f6d846
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: octomail Version: 0.1.5 The skill is classified as suspicious due to a significant supply chain vulnerability and potential file write risks. The `SKILL.md` file instructs the agent to fetch and interpret new skill definitions from a remote URL (`https://api.octomail.ai/skill.md`). This self-update mechanism allows for dynamic modification of the agent's behavior, posing a high risk if the remote server is compromised, as an attacker could inject malicious instructions. Additionally, the attachment download functionality (`curl ... -o file.pdf`) introduces a file write capability, which could be exploited if the agent does not properly sanitize filenames or paths, potentially leading to arbitrary file overwrites or placement of malicious content.
- External report
- View on VirusTotal