Back to skill
Skillv1.0.0
VirusTotal security
TokenMail · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
ReviewMar 25, 2026, 1:16 PM
- Hash
- 52c5b5937b27d1e0cb7daab3fde1103720d20dace681af2a4856d3c440361eb0
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: token-mail Version: 1.0.0 The skill implements a messaging client that manages sensitive cryptographic keys (private keys and mnemonics) for the 'TokenMail' service. A significant security risk exists in `scripts/tokenmail_cli.js`, which dynamically downloads and executes the `ethers` library from a public CDN (jsdelivr.net) using `vm.runInNewContext` if the local module is not found. Furthermore, the script stores these sensitive credentials in unencrypted plain-text JSON files within the user's home directory (`~/.tokenmail`). While these features are framed as 'sandbox-friendly' optimizations, they introduce high-risk vulnerabilities including potential Remote Code Execution (RCE) and insecure credential handling.
- External report
- View on VirusTotal