Beeper CLI
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: beeper-cli Version: 1.0.2 The skill is classified as suspicious due to its inherent high-risk capabilities, even though they align with its stated purpose. It requires the `BEEPER_ACCESS_TOKEN` environment variable, a sensitive credential, for operation. The skill enables uploading arbitrary local files (`beeper assets upload`) and sending messages (`beeper messages send`), which could be misused for data exfiltration or social engineering if the agent is compromised or given malicious instructions. Additionally, the installation method via `go install github.com/foeken/beeper-cli@latest` introduces a supply chain risk by fetching and executing code from an external repository. No direct malicious prompt injection attempts were found in `SKILL.md`.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If installed and used, the agent can use the token-backed CLI to read/search chats and send or modify messages in the user's Beeper account.
The skill requires a Beeper API token, which is expected for this integration but grants access to the user's Beeper Desktop account and messages.
Env var: `BEEPER_ACCESS_TOKEN` set (get from Beeper Desktop: Settings > Developers > API Access Token)
Only use this skill with a Beeper token you are comfortable delegating to the agent, keep the token secure, and revoke or rotate it if no longer needed.
A mistaken or overly broad instruction could send, edit, archive, create, or attach content in the user's messaging account.
The documented CLI commands include actions that can mutate chats, send or edit messages, and upload files. These are related to the Beeper purpose, but they are high-impact actions if run without clear user intent.
beeper chats archive "<chatID>" ... beeper chats create ... beeper messages send ... beeper messages edit ... beeper assets upload /path/to/image.png
Require explicit user approval before any send, edit, archive, chat creation, reminder change, upload, or download action, and verify chat IDs and message text before execution.
Installing an unexpected or changed CLI release could affect what commands the agent is able to run against Beeper.
The skill depends on an external CLI installed by the user, and the Go install example uses '@latest' rather than a pinned version. This is normal setup documentation but leaves provenance/version verification to the user.
Download from [releases](https://github.com/foeken/beeper-cli/releases), or build: go install github.com/foeken/beeper-cli@latest
Install beeper-cli from a trusted release, consider pinning a known version, and review the upstream project before providing your Beeper token.