Google Messages
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: google-messages-openclaw-skill Version: 0.1.0 This skill is classified as suspicious due to its use of high-risk capabilities, even though they appear to be aligned with the stated purpose. Key indicators include the use of `child_process.execSync` in `sms-webhook-server.js` to execute the `openclaw` CLI, and the instruction in `SKILL.md` and `references/observer-injection.md` to use `browser action=act request={"kind": "evaluate", "fn": "..."}` for injecting arbitrary JavaScript (`sms-observer.js`) into the browser. Additionally, the skill includes instructions for setting up a systemd user service for persistence of the webhook server. While these actions are necessary for the skill's functionality (automating Google Messages and providing notifications), they represent powerful primitives that could be abused if the skill were compromised or had malicious intent, thus exceeding the threshold for 'benign'.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted incoming SMS or local webhook request could run commands on the user’s machine under the account running the webhook.
The webhook message is built from parsed POST data and SMS preview/contact fields, then passed through a shell command string. The code only escapes quotes/newlines, so shell substitutions such as `$()` or backticks in incoming text could execute local commands.
const msg = `📱 SMS from ${data.contact || 'Unknown'}: ${data.preview || data.message || '(no content)'}`; ... execSync(cmd, { timeout: 15000, stdio: 'pipe' });Do not run the webhook until it is changed to use execFile/spawn with an argument array, strict input validation, and no shell interpolation.
Other local software, and potentially browser-accessible local requests, could spoof inbound SMS notifications or trigger the unsafe forwarding path.
The localhost webhook accepts unauthenticated POSTs and allows all origins before forwarding the received data to OpenClaw channels.
res.setHeader('Access-Control-Allow-Origin', '*'); ... if (req.method === 'POST' && req.url === '/sms-inbound') { ... forwardToOpenClaw(data); }Require a random bearer token or shared secret, validate the Origin, restrict CORS, limit request body size, and only accept notifications from the injected observer.
Anyone or any agent action using that browser profile could potentially view conversations or send texts as the user.
The skill relies on a paired Google Messages browser session, which is effectively delegated access to read and send SMS/RCS through the user’s phone.
Browser profile with persistent session ... Important: Enable "Remember this computer" to persist the session.
Use a dedicated browser profile, confirm outbound messages before sending, and revoke Google Messages device pairing when the skill is no longer needed.
Incoming SMS monitoring and forwarding could continue after the initial task until the service is disabled.
The documented optional systemd setup makes the webhook persistent as a user service. This is disclosed and purpose-aligned for real-time notifications, but it keeps monitoring/forwarding active in the background.
systemctl --user enable --now google-messages-webhook
Only enable the service if you need continuous forwarding, and know how to stop or disable it with systemctl when finished.
Users may have less assurance that the installed code matches the reviewed artifact or its claimed origin.
Installation is documented as a manual clone from a GitHub repository while the supplied metadata lists the source as unknown and package.json references a different repository namespace.
git clone https://github.com/kesslerio/google-messages-openclaw-skill.git ~/.openclaw/skills/google-messages
Verify the repository, commit, and file contents before installing or running the Node webhook.