Poku
PassAudited by ClawScan on May 1, 2026.
Overview
Poku is a coherent instruction-only skill for using the Poku API to make calls, send messages, manage numbers, and receive webhooks, with sensitive but disclosed permissions.
Install only if you trust Poku and are comfortable giving the agent a Poku API key. Review every call plan, message draft, phone number, and webhook destination before confirming, and use strong secrets for webhook forwarding.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the user confirms an incorrect draft or recipient, the agent could send a real SMS, WhatsApp, or Slack message to the wrong place.
The skill uses API calls to send real messages, but it instructs the agent to show the draft and wait for user confirmation first.
Show the draft clearly before sending... Do not send until the user confirms. ... curl -s -X POST https://api.pokulabs.com/messages/sms
Before confirming, check the recipient, channel, sender, and exact message text.
Anyone or any agent with this key may be able to use the user's Poku account to send messages, place calls, and manage numbers or webhooks.
The skill requires a Poku credential and correctly warns not to expose it; that credential authorizes communications and account operations through Poku.
`POKU_API_KEY` *(required)* — Poku API key. ... Never display any full command with a resolved API key in user-facing output.
Use a dedicated Poku API key if possible, keep it secret, rotate it if exposed, and monitor Poku account activity.
Inbound messages or call summaries may be shown to the agent and forwarded to another channel; a malicious sender could include misleading text, and private content could be routed beyond Poku.
Inbound phone/SMS events can be forwarded into an agent session and Telegram, carrying untrusted and potentially private message or call content.
"action": "agent", "agentId": "main", "sessionKey": "hook:poku", "wakeMode": "now" ... "messageTemplate": "You received a message from {{payload.payload.from}}: \"{{payload.payload.body}}{{payload.payload.summary}}\""Use strong webhook tokens/signing secrets, route only to trusted destinations, and avoid letting inbound message text trigger sensitive actions without review.