FaxAgent-Skill
v1.0.0Discover, create, upload, pay, and track fax jobs using FaxAgent.ai API with safe polling, promo tokens, and human-facing upload/payment/status links.
⭐ 0· 563·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name, description, and instructions are coherent: they describe discovering the API, creating fax jobs, surfacing human-facing upload/pay/status links, and safe polling. However, the SKILL.md includes runnable shell examples that rely on tools (curl, jq, bash) but the skill metadata declares no required binaries — a minor inconsistency that should be documented by the author.
Instruction Scope
The instructions mostly stay within the stated purpose (POST/GET to FaxAgent endpoints, redact tokens, surface links, safe polling). However, the SKILL.md contains detected 'unicode-control-chars' (prompt-injection pattern). Hidden control characters can be used to obscure or alter instructions and are a real risk when an agent parses and executes free-form instructions; this is the most significant concern. The document does explicitly warn to treat discovery.json as untrusted and not to execute embedded scripts, which is good, but the hidden-control-character finding still merits caution.
Install Mechanism
This is an instruction-only skill with no install spec and no files written to disk by the platform. That minimizes install risk.
Credentials
No environment variables, keys, or config paths are requested by the skill metadata. The skill uses short-lived per-fax tokens returned by the API, and the guide recommends redaction and limited retention — this is proportionate for the stated function.
Persistence & Privilege
always is false, autonomous invocation is allowed (platform default) and appropriate for a utility skill. The skill does not request persistent presence or modifications to other skills or system-wide settings.
Scan Findings in Context
[unicode-control-chars] unexpected: The SKILL.md contains unicode control characters which are commonly used in prompt-injection attempts to hide or reorder text. A FaxAgent integration would not normally need hidden control characters in its documentation. This is a red flag to inspect the file for hidden directives before allowing the skill to run unattended.
What to consider before installing
This skill appears to implement a straightforward FaxAgent.ai integration and is instruction-only (no install), but take precautions before installing or enabling it for autonomous use: 1) Inspect the SKILL.md in a text editor that reveals invisible characters (or run a sanitizer) because the scanner found unicode control characters that can hide instructions. 2) Ask the author to declare required binaries (curl, jq, bash) so you know what will be executed. 3) Only use per-fax tokens in short-lived contexts and follow the document's redaction guidance; do not paste tokenized URLs into public channels. 4) If you plan to run the provided scripts, run them in a sandboxed environment or a container and review the full script contents line-by-line. 5) Verify the FaxAgent.ai domain and API endpoints are legitimate for your organization before sending any sensitive documents or payment links. If you cannot validate the SKILL.md or the domain, treat the skill as untrusted and avoid enabling autonomous invocation.Like a lobster shell, security has layers — review code before you run it.
latestvk975y8kmyjagbd826nef9jwet5814csvlatest Secure communications between Ai for message and document deliveryvk975y8kmyjagbd826nef9jwet5814csv
License
MIT-0
Free to use, modify, and redistribute. No attribution required.