Back to skill
Skillv1.0.1
VirusTotal security
lemlist official · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 4:18 AM
- Hash
- d43dde40e3de2e7cef10e718443f237e6dc74cc2e950f63404f4d7169851307c
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: lemlist-official Version: 1.0.1 The skill bundle is designed for legitimate integration with the Lemlist API, handling API keys securely via environment variables and using standard Python libraries for network communication to a hardcoded legitimate domain. The `SKILL.md` documentation does not contain any prompt injection attempts. However, the skill exposes the Lemlist API's capability to create webhooks (`POST /api/hooks`) with an arbitrary `targetUrl`. While this is a legitimate API feature, it represents a significant risk for data exfiltration if an AI agent is compromised via prompt injection, as these webhooks can transmit sensitive campaign and lead data to an attacker-controlled endpoint. This constitutes a risky capability without clear malicious intent from the skill developer, aligning with the 'suspicious' classification.
- External report
- View on VirusTotal