ClawHub

Voipms Sms

v1.0.1

OpenClaw skill for sending and retrieving SMS messages via the VoIP.ms API (no Bitwarden dependency).

0· 352·0 current·0 all-time
by@ccormier
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description, openclaw.json, SKILL.md, and the included Python scripts all align: they implement send/get SMS via the VoIP.ms REST API and require only VoIP.ms API username/password.
Instruction Scope
SKILL.md limits runtime actions to running the two included scripts. The scripts only contact the declared VoIP.ms API endpoint and print the responses. Note: the scripts send credentials as URL query parameters (GET) which may be recorded in transit logs or server access logs — functionally consistent with the skill but a potential operational privacy concern.
Install Mechanism
No install spec; this is instruction-only with bundled Python scripts. Nothing is downloaded from external URLs during install.
Credentials
The skill requests exactly VOIPMS_API_USERNAME and VOIPMS_API_PASSWORD — appropriate and declared. However, those credentials are embedded in GET query parameters by the scripts, which increases the chance they appear in logs or intermediate proxies; SKILL.md correctly recommends using a sub-account with limited permissions.
Persistence & Privilege
always is false, the skill is user-invocable and does not request persistent system presence or modify other skills/config. Autonomous model invocation is enabled (platform default) but not combined with other concerning privileges.
Assessment
This skill appears to do what it claims: it uses the VoIP.ms API and only needs your VoIP.ms API username/password. Before installing, consider: 1) The source and homepage are unknown — if you don't trust the publisher, review the two Python scripts yourself (they are short and included). 2) The scripts put API username/password in the URL query string (GET) — this can be recorded in server logs or by intermediate proxies; prefer a dedicated sub-account as suggested or an API token/mechanism that avoids embedding credentials in URLs. 3) Store credentials in a secure place (not a long-lived shared shell session) and rotate/revoke the sub-account credentials if you stop using the skill. If you want higher assurance, ask the publisher for a provenance URL or an official homepage/source repository.

Like a lobster shell, security has layers — review code before you run it.

latestvk97cj45vvdqmdxm4vgnh0eqt858210jb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments