Back to skill
Skillv1.1.4
VirusTotal security
Lel Mail · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:14 AM
- Hash
- 759a40ec9dc7d1e90f7d63a8eb5ec846cb6fd4ab6a437305bf69c152ae49072a
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: lel-mail Version: 1.1.4 The skill is classified as suspicious due to a critical prompt injection vulnerability found in `scripts/check_email.sh`. This script directly embeds untrusted email content (subject, sender, body) into prompts sent to the `openclaw agent`. An attacker sending a crafted email could inject arbitrary instructions into the agent's subsequent actions, such as adding malicious content to the agent's memory, sending unauthorized notifications to the user, or coercing the agent to request and then exfiltrate sensitive information via the `lel-mail` skill itself. This is a severe design flaw that allows for malicious exploitation, rather than being inherently malicious code.
- External report
- View on VirusTotal