critical
suspicious.dangerous_exec
- Location
- sms-webhook-server.js:51
- Finding
- Shell command execution detected (child_process).
Google Messages
AdvisoryAudited by Static analysis on May 10, 2026.
Overview
Detected: suspicious.dangerous_exec
Findings (1)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
ConcernHigh Confidence
ASI05: Unexpected Code ExecutionWhat this means
A crafted incoming SMS or local webhook request could run commands on the user’s machine under the account running the webhook.
Why it was flagged
The webhook message is built from parsed POST data and SMS preview/contact fields, then passed through a shell command string. The code only escapes quotes/newlines, so shell substitutions such as `$()` or backticks in incoming text could execute local commands.
Skill content
const msg = `📱 SMS from ${data.contact || 'Unknown'}: ${data.preview || data.message || '(no content)'}`; ... execSync(cmd, { timeout: 15000, stdio: 'pipe' });Recommendation
Do not run the webhook until it is changed to use execFile/spawn with an argument array, strict input validation, and no shell interpolation.
ConcernHigh Confidence
ASI07: Insecure Inter-Agent CommunicationWhat this means
Other local software, and potentially browser-accessible local requests, could spoof inbound SMS notifications or trigger the unsafe forwarding path.
Why it was flagged
The localhost webhook accepts unauthenticated POSTs and allows all origins before forwarding the received data to OpenClaw channels.
Skill content
res.setHeader('Access-Control-Allow-Origin', '*'); ... if (req.method === 'POST' && req.url === '/sms-inbound') { ... forwardToOpenClaw(data); }Recommendation
Require a random bearer token or shared secret, validate the Origin, restrict CORS, limit request body size, and only accept notifications from the injected observer.
NoteHigh Confidence
ASI03: Identity and Privilege AbuseWhat this means
Anyone or any agent action using that browser profile could potentially view conversations or send texts as the user.
Why it was flagged
The skill relies on a paired Google Messages browser session, which is effectively delegated access to read and send SMS/RCS through the user’s phone.
Skill content
Browser profile with persistent session ... Important: Enable "Remember this computer" to persist the session.
Recommendation
Use a dedicated browser profile, confirm outbound messages before sending, and revoke Google Messages device pairing when the skill is no longer needed.
NoteHigh Confidence
ASI10: Rogue AgentsWhat this means
Incoming SMS monitoring and forwarding could continue after the initial task until the service is disabled.
Why it was flagged
The documented optional systemd setup makes the webhook persistent as a user service. This is disclosed and purpose-aligned for real-time notifications, but it keeps monitoring/forwarding active in the background.
Skill content
systemctl --user enable --now google-messages-webhook
Recommendation
Only enable the service if you need continuous forwarding, and know how to stop or disable it with systemctl when finished.
NoteMedium Confidence
ASI04: Agentic Supply Chain VulnerabilitiesWhat this means
Users may have less assurance that the installed code matches the reviewed artifact or its claimed origin.
Why it was flagged
Installation is documented as a manual clone from a GitHub repository while the supplied metadata lists the source as unknown and package.json references a different repository namespace.
Skill content
git clone https://github.com/kesslerio/google-messages-openclaw-skill.git ~/.openclaw/skills/google-messages
Recommendation
Verify the repository, commit, and file contents before installing or running the Node webhook.