ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sms

v3.0.0

Manage SMS templates with variable substitution and formatting. Use when preparing bulk messages.

0· 268·0 current·0 all-time
by@bytesagain3
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the actual behavior: the SKILL.md maps directly to a local script that creates, lists, previews, substitutes variables, and exports templates stored under ~/.local/share/sms. No unrelated services, credentials, or binaries are requested.
Instruction Scope
Instructions simply call scripts/script.sh with specific commands and reference the data directory ~/.local/share/sms. They do not ask the agent to read other system files or send data externally, but the script has implementation issues (unquoted variables, some strings use single quotes so variables are not expanded, use of unquoted cp/grep arguments) that may produce incorrect or surprising outputs.
Install Mechanism
No install spec and no external downloads; the skill is instruction-only with one bundled shell script. Nothing is fetched from third-party URLs and no archive extraction occurs.
Credentials
The skill requests no environment variables, no credentials, and no config paths beyond its own data directory (~/.local/share/sms). This is proportional to its stated purpose.
Persistence & Privilege
The skill does not request 'always' presence and does not modify system-wide settings or other skills. It creates and uses a single per-user data directory under $HOME.
Assessment
This skill appears to do what it claims and does not request credentials or network access. Before installing, consider: (1) review or run the script in a safe environment — the script contains sloppy shell coding (unquoted variables, single-quoted echoes that prevent variable expansion) that can lead to incorrect behavior or path-splitting; (2) don't run it as a privileged user; (3) back up ~/.local/share/sms if you already have data there; (4) if you plan to use it in automation, patch the script to properly quote variables (e.g., use "$var") and fix the echoed messages so variables expand, and validate user-supplied names/paths to avoid accidental file overwrite or option injection; (5) prefer skills from a trusted/published source when possible.

Like a lobster shell, security has layers — review code before you run it.

latestvk972121a31tf7an37eepfe9r7s836xtn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments