Back to skill
Skillv1.0.0
VirusTotal security
QQ Mail · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:55 AM
- Hash
- a4f4db85845853053f4969c42913f4c97f2515783d77f52a7e5d723661e48d89
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: qqmail Version: 1.0.0 The skill is classified as suspicious due to two primary reasons. First, the `send` command in `scripts/qqmail.py` allows attaching arbitrary files from the local filesystem via the `--attachment PATH` argument. While a legitimate feature, this capability could be exploited by a malicious agent prompt to exfiltrate sensitive user files (e.g., credentials, private keys). Second, the `search` command in `scripts/qqmail.py` constructs IMAP search queries by directly concatenating user-provided arguments (e.g., `--subject`, `--from`) into the search string, which presents a potential IMAP injection vulnerability if a malicious user provides specially crafted input. There is no evidence of intentional malicious behavior such as hardcoded exfiltration domains, backdoors, or obfuscation; the issues are vulnerabilities or risky capabilities rather than explicit malware.
- External report
- View on VirusTotal