Back to skill
Skillv1.0.0
VirusTotal security
Cold Email Engine · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 6:03 AM
- Hash
- 37dc0f727900822ccead21503988ccfa315b39d91b024ddf236a49116dd7f96e
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: cold-email-engine Version: 1.0.0 The skill bundle provides a functional cold email outreach system, but contains a significant SSRF (Server-Side Request Forgery) vulnerability in `scripts/enrich-leads.js`. This script fetches content from URLs constructed directly from user-provided CSV data without validating the target domains, which could allow an attacker to probe internal network services or cloud metadata endpoints. Additionally, `scripts/cold-email-engine.js` uses un-sanitized CSV headers in a dynamic `RegExp` constructor for template substitution, creating a potential risk for Regular Expression Denial of Service (ReDoS).
- External report
- View on VirusTotal