Back to skill
Skillv0.1.0
VirusTotal security
Lumail · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 22, 2026, 2:21 AM
- Hash
- 35a0d46e29a1b1b3101812ffe80502fb793561c04eb249b1e0da4e598fc32804
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: lumail Version: 0.1.0 The 'lumail' skill (SKILL.md) is classified as suspicious because it provides high-risk capabilities that, while plausibly necessary for its stated purpose, present a significant attack surface for an AI agent. Specifically, the CLI includes a command to display raw authentication tokens ('pnpm lumail auth show --raw') and a generic tool-execution interface ('pnpm lumail tools run'), both of which could be targeted by prompt injection to exfiltrate credentials or perform unauthorized API operations. Additionally, the skill requires network access to lumail.io and file system access to ~/.config/lumail/token, which are identified as risky behaviors under the provided criteria. No evidence of intentional malice was found, but the broad API surface and direct secret access warrant caution.
- External report
- View on VirusTotal