Agent Messenger

The skill's purpose (sending messages to agents) matches the code, but the package omits required config/binary declarations and includes scripts that read local config (with bot tokens) and can install cron jobs — these inconsistencies and privileges warrant caution.

This skill does implement the advertised messaging features, but be cautious: before running anything, inspect /data/.openclaw/openclaw.json to see what secrets (botToken, accountId, user IDs) the scripts will read and use; if those tokens are sensitive or shared, sending messages with them could have unintended effects. Note that the package metadata fails to declare the required config path and assumes utilities (jq, curl, python3). Also review the install_heartbeat_cron.sh script — it will modify your crontab and create a recurring job if you run it. If you proceed, run the scripts in a controlled environment, remove or change the hardcoded default user ID if not wanted, and avoid installing the cron job until you confirm behavior and token scope. If you lack trust in the source, do not run the cron installer and consider extracting only the parts you audited or implementing similar functionality yourself with explicit least-privilege credentials.