Scan Report
0 /100
tuta-mail
Send, read, and manage emails via Tuta (formerly Tutanota) encrypted email service
Legitimate Tuta encrypted email client with proper E2E cryptography, no credential exfiltration, and no malicious behavior.
Safe to install
This skill is safe to use. Ensure pip dependencies are version-pinned in production for reproducibility.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | READ,WRITE | WRITE | ✓ Aligned | SKILL.md:session-file / scripts/tuta_client.py:save_session (line 204) |
| Network | READ,WRITE | READ,WRITE | ✓ Aligned | SKILL.md declares API usage at https://app.tuta.com/rest/ |
| Shell | NONE | NONE | — | No subprocess or shell execution; uses Python directly |
| Environment | NONE | NONE | — | No direct environment variable access; credentials from openclaw.json |
2 findings
Medium External URL 外部 URL
https://app.tuta.com/rest/ SKILL.md:8 Medium External URL 外部 URL
https://app.tuta.com/rest scripts/tuta_client.py:30 File Tree
2 files · 24.8 KB · 672 lines Python 1f · 588L
Markdown 1f · 84L
├─
▾
scripts
│ └─
tuta_client.py
Python
└─
SKILL.md
Markdown
Dependencies 4 items
| Package | Version | Source | Known Vulns | Notes |
|---|---|---|---|---|
requests | * | pip | No | Version not pinned in SKILL.md documentation |
pycryptodome | * | pip | No | Version not pinned |
bcrypt | * | pip | No | Version not pinned |
argon2-cffi | * | pip | No | Version not pinned |
Security Positives
✓ End-to-end encryption properly implemented with AES-128-CBC + HMAC-SHA256
✓ Session files stored with restrictive permissions (chmod 0o600)
✓ MAC verification prevents ciphertext tampering
✓ Argon2id supported for newer accounts with secure parameters (time_cost=4, memory_cost=32MB)
✓ Bcrypt cost factor (8 rounds) with SHA-256 pre-hashing for legacy accounts
✓ All network requests exclusively to legitimate Tuta API endpoint (app.tuta.com)
✓ Credentials used only for key derivation, never stored or exfiltrated
✓ No base64-encoded execution, reverse shells, or C2 communication
✓ No credential harvesting beyond legitimate login flow
✓ Proper PKCS7 padding removal with validation