Back to skill
Skillv1.2.0
VirusTotal security
Gmail Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 3:52 AM
- Hash
- 9d42734c390aea508e027dcb81048a2e21b6d87fbfadbb48c3e53c9696968ed0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: gmail-skill Version: 1.2.0 The skill is classified as suspicious due to a critical Remote Code Execution (RCE) vulnerability in `bins/gmail-background-task.sh`. The script uses `eval "$COMMAND"` to execute tasks, allowing arbitrary shell command injection if the `$COMMAND` argument can be influenced by an attacker (e.g., via prompt injection against the AI agent). Furthermore, the output of the executed command is sent to the `WHATSAPP_NOTIFY_TARGET`, which could facilitate data exfiltration if the RCE vulnerability is exploited. While the `SKILL.md` attempts to enforce secure usage by mandating the wrapper, the wrapper itself contains this severe flaw.
- External report
- View on VirusTotal