Signal
Security checks across malware telemetry and agentic risk
Overview
This is mostly a disclosed Signal messaging integration, but it documents Signal-triggered configuration changes enabled by default, which users should review before installing.
Before installing, use a dedicated Signal bot number, restrict `dmPolicy`, `allowFrom`, `groupPolicy`, and `groupAllowFrom`, consider setting `configWrites` to false, keep history and attachment handling minimal, and install `signal-cli` only from a trusted source.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A paired or allowed Signal user may be able to change agent/channel configuration through chat commands, affecting future behavior beyond a single message.
This indicates Signal-origin commands can change OpenClaw configuration by default. The visible artifact does not clearly bound this to the owner, require explicit approval, or describe containment/rollback.
- `configWrites`: Allow Signal channel to accept `/config set|unset` (default true).
Disable `configWrites` unless needed, restrict it to owner-only DMs, and require explicit confirmation and logging for every configuration change.
Messages and reactions may be sent from the configured Signal account, so mistakes or misuse can affect real conversations.
The skill uses a Signal account identity to send and react to messages. That is expected for the integration and is disclosed, but it is delegated account authority.
The gateway connects to a *Signal device* (the `signal-cli` account). If you use your personal Signal account, the bot will ignore your own messages... Use a **separate bot number** for optimal operation.
Use a dedicated bot number, avoid using a personal Signal account, and keep DM/group allowlists narrow.
Recent group chat content may be exposed to the agent and could steer its responses, including content from non-owner participants.
The skill documents including recent Signal group messages as agent context. This is purpose-aligned, but private or untrusted chat content may influence the agent.
- Group history context uses `channels.signal.historyLimit` (default 50, set 0 to disable).
Set conservative history limits, disable history where not needed, and keep group access allowlisted.
Signal connectivity may rely on a background process that continues to receive or handle messages while the channel is enabled.
The skill documents automatic background daemon startup. It is disclosed and related to Signal connectivity, but users should know it may keep running outside a single interaction.
- `autoStart`: Auto-spawn daemon (default true if `httpUrl` unset).
Disable `autoStart` if you want to manage the daemon manually, or configure a known `httpUrl` and monitor the daemon lifecycle.
Users must obtain and configure `signal-cli` themselves, so safety depends on installing it from a trusted source.
The skill depends on an external `signal-cli` binary, while the provided install metadata has no install spec or required binary declaration. This is purpose-aligned but leaves dependency provenance to the user.
- `cliPath`: Path to `signal-cli` binary.
Install `signal-cli` only from trusted upstream sources, keep it updated, and verify the configured `cliPath` points to the intended binary.