Claw Messenger - iMessage without a Mac
PendingStatic analysis audit pending.
Overview
No static analysis result has been recorded yet. Pattern checks will appear here once the artifact has been analyzed.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent with this plugin could send messages from the user's messaging account, which may contact unintended people, create billing consequences, or send sensitive content if the agent is misdirected.
The API key grants the agent authority to send and receive real iMessage/RCS/SMS messages. The artifact documents inbound DM controls, but does not document outbound approval, recipient limits, rate limits, or similar safeguards.
"Scope" | "Authorizes sending and receiving messages on your account only"
Use a test or tightly scoped key first, require human confirmation before outbound messages, and prefer an outbound recipient allowlist or similar control before using it for real contacts.
Users relying on registry metadata may not realize the skill needs a secret key that authorizes account messaging.
The registry metadata does not declare a credential or config path, while SKILL.md says the plugin requires a secret Claw Messenger API key stored in `.openclaw.json` under `channels.claw-messenger.apiKey`.
Primary credential: none; Required config paths: none
The publisher should declare the API key and `.openclaw.json` config path in registry metadata, and users should treat the key like a password and rotate it if exposed.
The security of the actual messaging plugin depends on the external package, which was not reviewed here.
The reviewed skill bundle is instruction-only with no code files or install spec, but the documentation points users to install an external npm/OpenClaw package. This is user-directed and purpose-aligned, but the runnable package was outside the provided artifacts.
openclaw plugins install @emotion-machine/claw-messenger
Verify the npm package, source repository, version, and package contents before installing; pin a known-good version where possible.
Message contents and metadata may be exposed to the relay provider during normal operation.
The skill discloses that messages pass through a third-party WebSocket relay and that sender, recipient, and timestamp metadata are logged for delivery tracking and billing.
Relay Server (WSS) ←→ iMessage / RCS / SMS; message content passes through in transit ... Message metadata ... is logged
Do not route highly sensitive conversations through the relay unless the provider's privacy policy, retention practices, and trust model meet your needs.
A message sender could try to manipulate the agent through inbound text.
Inbound SMS/RCS/iMessage content is external, untrusted text that may enter the agent's context. This is expected for a messaging channel, but it can carry prompt-injection-style instructions.
forwards messages back to your agent in real time
Treat inbound messages as untrusted user input and avoid letting them trigger sensitive actions without separate authorization.