ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Beeper CLI

v1.0.2

Search chats, list/read messages, and send messages via Beeper Desktop using the beeper-cli.

0· 1.8k·5 current·5 all-time
byDreetje@foeken
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (search/list/read/send via Beeper Desktop) align with the SKILL.md and the single required binary 'beeper'. The listed CLI commands in SKILL.md are consistent with that purpose.
Instruction Scope
Instructions are narrowly scoped to running beeper-cli commands (searching chats, listing messages, sending messages, uploading/downloading attachments, focusing the window). They reference file paths only where expected for uploads/downloads. The SKILL.md also instructs to set an API access token and to build/install beeper-cli; nothing in the instructions asks the agent to read unrelated system files or unrelated credentials.
Install Mechanism
This is an instruction-only skill with no install spec (lowest risk). SKILL.md suggests downloading releases from GitHub or running 'go install', which is a typical, expected developer/install instruction. Note: building with 'go install' will fetch code from the public repo, so users should verify the upstream release/source before installing.
!
Credentials
SKILL.md requires an environment variable BEEPER_ACCESS_TOKEN (appropriate for the CLI), but the registry metadata lists no required environment variables. That mismatch is an incoherence: either the skill should declare that env var as required or the runtime instructions should not depend on it. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request always:true, does not declare config paths or other system-wide changes, and is user-invocable only. It does not ask for persistent presence or elevated platform privileges.
What to consider before installing
This skill appears to do what it says (wrap the beeper CLI) but the metadata is inconsistent: SKILL.md requires BEEPER_ACCESS_TOKEN while the registry metadata lists no env vars. Before installing or using it: 1) Confirm you have the beeper binary from a trusted source and that the beeper-cli project (https://github.com/foeken/beeper-cli) is legitimate and the release you use is verified. 2) Expect to provide BEEPER_ACCESS_TOKEN in your environment — treat it like any API token (store in a password manager/secret store, and avoid pasting into public logs). 3) If you plan to build with 'go install', review the upstream repo and prefer pinned releases rather than @latest. 4) Be cautious when uploading/downloading files via the CLI; verify paths and contents before sending. 5) Consider asking the skill publisher to correct the registry metadata so required env vars are declared; the mismatch is an indicator of sloppy packaging and should be fixed before wide deployment.

Like a lobster shell, security has layers — review code before you run it.

latestvk97aea7w355bdjhca894seqy0n7zwz5c

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binsbeeper

Comments