Back to skill
Skillv1.0.0
VirusTotal security
Agent Mailbox · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:29 AM
- Hash
- 87a1f2a03c741d33a55be17190170ff7c4fb7537a0978ec66f4374a7decf93cd
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: agent-mailbox Version: 1.0.0 The skill implements a file-based messaging system that contains a Path Traversal vulnerability in `src/lib/mailbox.ts`, where the `to` recipient parameter is used to construct file paths without sanitization, allowing an attacker to write files to arbitrary locations. Furthermore, the `agent-heartbeat.ts` example and `SKILL.md` instructions promote the use of a `callback_url` metadata field that triggers outbound HTTP POST requests to arbitrary user-supplied URLs, which could be leveraged for data exfiltration or SSRF. While these behaviors are aligned with the stated purpose of an 'agent mailbox', they represent significant security risks that could be exploited by malicious messages.
- External report
- View on VirusTotal