ClawHub

GroupMe

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward GroupMe posting helper, but users should protect the GroupMe token and review messages before sending or scheduling them.

Install only if you are comfortable giving OpenClaw a GroupMe bot ID and access token that can post to the selected group. Keep the secrets file private, do not send secrets or sensitive personal data through automated messages, and review cron jobs or generated announcements before enabling them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README suggests broad natural-language triggers like 'Send a reminder to the group' and 'Post this announcement,' which can overlap with ordinary chat requests and cause unintended invocation of an outbound messaging skill. In an agent environment, this increases the chance that routine user text is forwarded to GroupMe without an explicit confirmation boundary.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explains that messages go through the GroupMe API but does not clearly warn users that message content and identifiers like bot ID, group ID, and access token are involved in third-party transmission and integration. This omission can lead to accidental sharing of sensitive operational or personal information through the skill.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation examples are broad natural-language triggers like 'Send a message to the group' without guardrails on recipients, content classes, or confirmation requirements. In an agent setting, vague triggers can cause accidental or unauthorized outbound messaging, especially for scheduled or automated workflows.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill description explains functionality but does not prominently warn that message text and attachments are transmitted to an external third-party service, GroupMe. This can lead users to share sensitive operational or personal information without informed consent about external data handling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal