ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Delivery Queue

v1.0.0

Schedule and send segmented messages in timed intervals to mimic human-like delivery and optimize engagement.

0· 37·1 current·1 all-time
by@ipythoning·duplicate of @ipythoning/sdr-delivery-queue
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The name/description promise scheduling and sending to WhatsApp/Telegram/email, but the provided deliver.sh only creates/manages local JSON queue entries and can mark them as sent; there is no delivery worker, no network/SMTP/third-party API integration, and no required API keys or SMTP credentials declared. A delivery skill that actually sends messages would normally require service credentials and sending logic.
!
Instruction Scope
SKILL.md describes a background worker and retry behavior, but the runtime instructions and deliver.sh do not implement sending or retries — they only queue, list, cancel, flush (mark as sent) and clean local entries. The instructions do not request or document how messages get delivered, which grants broad implicit responsibility to other components or the agent without making them explicit.
Install Mechanism
No install spec (instruction-only), so the code will be placed on disk as-is. This is low-risk from an install-download perspective, but the script invokes external binaries (python3, sha256sum, realpath, date) that the package metadata did not declare as required.
!
Credentials
The skill declares no required env vars or credentials, yet targets external messaging services where API keys/SMTP credentials would normally be required. The script optionally uses OPENCLAW_HOME but that env var was not documented in SKILL.md's 'requires'. No sensitive data is accessed by the script itself, but absence of declared credentials is disproportionate to the stated purpose.
Persistence & Privilege
The skill does not request always:true and does not modify other skills or global configuration. It creates and manages files under OPENCLAW_HOME or $HOME/.openclaw/delivery-queue (its own data), which is expected behavior for a local queue.
What to consider before installing
This package only provides a local queue manager: it writes JSON files to $HOME/.openclaw/delivery-queue and can mark entries 'sent' but contains no code to actually connect to WhatsApp, Telegram, or an email SMTP/API. Before installing, ask the author how messages are delivered (what background worker or integration is required), whether API keys or SMTP credentials are needed, and where those credentials should be stored. Ensure you are comfortable that another component (or the agent) will perform sending securely — otherwise the skill will not perform its claimed function. Also note the script calls python3, sha256sum, and realpath; ensure those binaries exist and review any external integration code that will be added to handle actual message delivery.

Like a lobster shell, security has layers — review code before you run it.

latestvk9714wp9mw3asmkvryg1gw99f9843zyc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments