ClawHub

Grizzly Sms

v1.1.3

SMS verification and virtual phone numbers via Grizzly SMS API

0· 155·0 current·0 all-time
by@grizzlysms-git
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
Name/description, declared primary credential (GRIZZLY_SMS_API_KEY), and included scripts (node CLI + API client) align with an SMS/virtual-number integration. The skill legitimately needs Node + exec + optional browser access to implement the described registration workflow.
Instruction Scope
SKILL.md stays within the stated purpose: it instructs the agent to obtain an API key, call the bundled CLI via the exec tool to interact with the Grizzly API, poll for SMS codes, and use the browser tool to fill registration forms. It explicitly tells the agent to accept user-provided API keys in-chat and pass them to child processes. That behavior is functionally coherent but expands the privacy surface (see environment_proportionality).
Install Mechanism
There is no external install specification (no downloads). All code is bundled in the skill (scripts/*.mjs and src/). That lowers supply-chain risk. The repository contains package.json and build instructions (for optional MCP server mode), so running the MCP server would require npm install/build; the OpenClaw skill mode calls the included node script directly. No remote URLs or archive extracts are used by the skill itself.
Credentials
Only the Grizzly API key is required (primaryEnv=GRIZZLY_SMS_API_KEY), which is proportionate to the functionality. However, the SKILL.md explicitly instructs the agent to ask users to paste their API key into chat and to use it in exec child-process env overrides rather than recommending secure secret storage. That increases the risk of the secret appearing in conversation logs or agent traces; consider using the platform's secret-prompt/secure-config mechanisms instead of raw chat paste.
Persistence & Privilege
The skill is not 'always: true' and does not request system-level privileges. It does require the exec and optional browser tools to be enabled on the host (the documentation explains how). The skill does not claim to modify other skills or global settings.
Assessment
This skill appears coherent for integrating with Grizzly SMS: it needs your GRIZZLY_SMS_API_KEY and uses bundled Node scripts plus the exec and browser tools. Before installing: - Treat your API key as a secret: avoid pasting it into general chat history if you care about exposure. If OpenClaw (or your client) supports a secure secret prompt or storing the key in skill config, prefer that over raw chat paste. - The skill runs local node scripts via exec on the gateway host. Only enable exec for this skill if you trust the skill source and the host environment; prefer allowlist mode for the exec tool rather than full permissions. - The skill suggests sending cryptocurrency (USDT TRC-20) to a wallet address returned by the API for top-up — independently verify the address on grizzlysms.com before sending funds. - The browser automation and registration workflow can be used to create accounts automatically; ensure you comply with the terms of the services you target and applicable laws/policies. - If you need higher assurance, review the included scripts (scripts/grizzly-cli.mjs and src/*.ts) locally to confirm they do not exfiltrate data to unexpected endpoints before enabling exec/browser on a gateway that has sensitive access.

Like a lobster shell, security has layers — review code before you run it.

latestvk9757ry8by242qrnhzz5s1kek983jzhz

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Primary envGRIZZLY_SMS_API_KEY

Comments