Back to skill
Skillv1.2.7
VirusTotal security
Thrd Skill · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
BenignApr 30, 2026, 4:04 AM
- Hash
- 807c0e596e19ab57ecf3f574df0b41539db2ed24ff87a4b718142383c7b4eb00
- Source
- palm
- Verdict
- benign
- Code Insight
- Type: OpenClaw Skill Name: thrd-skill Version: 1.2.7 The skill bundle is designed for managing email via thrd.email and exhibits no malicious intent. It correctly handles API keys by reading them from environment variables and explicitly warns against writing them to disk (`scripts/onboard.py`, `SKILL.md`). The most potentially risky component, `scripts/poll_daemon.py`, which allows executing a command via `--on-events`, uses `shlex.split` and `subprocess.run(..., shell=False)` to safely execute commands without shell injection, a fact explicitly documented in `SKILL.md` and `references/api.md`. All network requests are directed to the legitimate `api.thrd.email` domain, and there is no evidence of data exfiltration, persistence mechanisms, or prompt injection attempts against the AI agent.
- External report
- View on VirusTotal