ClawHub
Back to skill

Security audit

login-digitalme

Security checks across malware telemetry and agentic risk

Overview

This SMS login helper is small and purpose-aligned, but it should be reviewed because it sends phone login factors to an unclear raw IP endpoint and may expose session tokens in command output.

Install only if you trust the publisher and can verify that SMS_LOGIN_BASE_URL points to the intended authentication service over HTTPS. Treat the phone number, SMS code, bearer token, and cookie as sensitive login material, and avoid printing or logging full responses from the login command.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs transmission of a phone number and one-time verification code to a remote API without an explicit warning that these are sensitive authentication factors. Users may not realize the agent will send both identifiers off-box, increasing privacy risk and the chance of credential interception or misuse if the endpoint is untrusted or misconfigured.

External Transmission

Medium
Category
Data Exfiltration
Content
openclaw:
    requires:
      bins:
        - curl
        - jq
      env:
        - 180.184.28.174:30080
Confidence
89% confidence
Finding
curl - jq env: - 180.184.28.174:30080 primaryEnv: 180.184.28.174:30080 --- # 短信验证码登录 通过手机号和短信验证码实现用户快速登录或自动注册。 ## 何时使用 当用户要求:发送手机验证码、用手机号登录、用验证码登录、手机号注册 时,使用此 skill。 ##

External Transmission

Medium
Category
Data Exfiltration
Content
向用户索要短信中的验证码后,发起登录:

```bash
curl -s -c - -X POST "${SMS_LOGIN_BASE_URL}/api/v1/auth/phone/login" \
  -H "Content-Type: application/json" \
  -d '{"phone": "'"${PHONE}"'", "code": "'"${CODE}"'"}' | jq .
```
Confidence
97% confidence
Finding
curl -s -c - -X POST "${SMS_LOGIN_BASE_URL}/api/v1/auth/phone/login" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal