himalaya

SUSPICIOUS: the skill’s stated purpose is coherent with an email CLI, but the install path is internally inconsistent with the documented OpenClaw CLI and the skill provides almost no detail on credentials or data flow. No direct credential harvesting or exfiltration is shown, so this is not malware, but the transitive install trust and CLI mismatch make it medium risk.