Back to skill
Skillv1.0.0
ClawScan security
send-imessage · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 5:08 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions (AppleScript via osascript to send Messages) match its stated purpose; no extra credentials or installs are requested — but it is macOS-specific and could send messages autonomously if allowed.
- Guidance
- This skill is coherent for sending iMessages but only works on macOS with the Messages app signed in. Before installing: confirm you'll run it on macOS; be aware the agent can call the skill autonomously (consider requiring manual confirmation before sending messages); macOS may require Accessibility permission for osascript to control Messages. Also ask the publisher to set the skill's OS restriction to macOS to avoid accidental use on unsupported systems.
Review Dimensions
- Purpose & Capability
- noteThe name/description and SKILL.md are consistent: the skill sends iMessages via AppleScript. However the registry metadata does not declare that this is macOS-only even though it requires osascript/AppleScript and the Messages app; that mismatch should be corrected.
- Instruction Scope
- okSKILL.md contains explicit steps to extract phone number and message and run a single osascript block to send the message. It does not instruct reading unrelated files, accessing extra environment variables, or exfiltrating data.
- Install Mechanism
- okThere is no install spec and no code files; this is instruction-only, so nothing is downloaded or written to disk by the skill itself.
- Credentials
- okThe skill requests no environment variables or credentials. It properly notes runtime requirements (Messages logged in, Accessibility permissions) which are proportional to sending messages.
- Persistence & Privilege
- notealways is false (good). disable-model-invocation is false (normal), which means the agent could autonomously invoke the skill — this increases the risk of the agent sending messages without extra confirmation, though it is not combined with other concerning privileges.