Back to skill
Skillv1.2.0
VirusTotal security
Smart Email · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:54 AM
- Hash
- 303fae6ebaf37df6f2a32518f7d4453b00329ae17c8682c6489b9b9bb0abea7a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: smart-email Version: 1.2.0 The skill provides legitimate email management and AI summarization features, but it is classified as suspicious due to several security vulnerabilities and a discrepancy between documentation and implementation. Specifically, 'store.js' stores email passwords and OAuth tokens in plain text in a local SQLite database, contradicting the 'SKILL.md' claim of 'locally encrypted storage.' Furthermore, 'imap.js' allows disabling TLS certificate verification for custom servers, which exposes users to man-in-the-middle (MITM) attacks, and 'server.js' prints a sensitive web access token directly to the console. While no intentional malicious exfiltration was found, these flaws represent significant risks when handling sensitive communication data.
- External report
- View on VirusTotal