Back to skill
Skillv1.0.0
VirusTotal security
IMAP/SMTP Email (Plus) · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:24 AM
- Hash
- 47ff2a4e4ca0ebd5fbe9ceedc1a408781927e75da8f24d165a9274bc027600d0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: imap-smtp-email-plus Version: 1.0.0 This skill is classified as suspicious due to critical vulnerabilities, specifically a shell injection risk in `setup.sh` and arbitrary file read/write capabilities in `scripts/imap.js` and `scripts/smtp.js`. The `setup.sh` script expands user-provided `EMAIL` and `PASSWORD` variables directly within a `cat << EOF` block, making it vulnerable to command injection if malicious input is provided. Additionally, `scripts/imap.js` allows writing attachments to arbitrary paths via the `--dir` option in the `download` command, and `scripts/smtp.js` allows reading arbitrary files for email bodies or attachments via `--attach`, `--body-file`, `--html-file`, and `--subject-file` options. While these file operations are inherent to an email client, the lack of input sanitization or sandboxing mechanisms makes them significant vulnerabilities that could be exploited for information disclosure or arbitrary file writes if the agent is compromised, even without explicit malicious intent from the skill author.
- External report
- View on VirusTotal