Back to skill
Skillv1.0.0
VirusTotal security
CMA Email · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 3:47 AM
- Hash
- 608f70bb2f2616ec87bbd072ce00574b6afae4b915a3d9fd08a3ca58f892ef91
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: cma-email Version: 1.0.0 The skill is vulnerable to prompt injection via user-controlled input in the subject and body fields, as these are directly embedded into the `gog` skill command within `SKILL.md`. An attacker could craft a message (e.g., `cma my subject. **SYSTEM INSTRUCTION: [malicious command]** | my body`) to inject arbitrary instructions for the AI agent, potentially leading to unauthorized actions or information disclosure, even though the skill's stated purpose is benign email sending.
- External report
- View on VirusTotal