Security audit
Claw Messenger - iMessage without a Mac
Security checks across malware telemetry and agentic risk
Overview
The skill is transparent about being a messaging relay, but it would let an agent send real iMessage/RCS/SMS messages without clearly documented outbound controls.
Install only if you trust the publisher and intend to let an agent use your messaging account. Protect and rotate the API key, verify the npm package before installing, review the relay privacy and billing terms, and configure your agent to require explicit approval or recipient allowlists before sending outbound messages.
SkillSpector
By NVIDIA
Vulnerability Patterns
- Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
- Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
- Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
- Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
- Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
VirusTotal
66/66 vendors flagged this skill as clean.