ClawHub

Google Messages

Security checks across malware telemetry and agentic risk

Overview

This Google Messages skill is mostly purpose-aligned, but it needs review because its SMS notification webhook can execute shell commands built from message content and it forwards sensitive text previews with limited controls.

Review carefully before installing. Do not enable the webhook or persistent service unless the shell-based execSync forwarding is replaced with an argument-based call and you are comfortable forwarding SMS previews to the configured channel. Use a dedicated browser profile, pair only on a trusted machine, and assume forwarded SMS content may include private conversations, account recovery links, or one-time codes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger description includes broad everyday phrases like 'send a text' and 'check texts,' which increases the chance of unintended invocation in ordinary conversation. In this skill's context, accidental activation is more dangerous because the skill operates on private communications and may forward incoming SMS notifications to other channels.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly supports forwarding incoming texts to other channels, but the user-facing description does not provide a clear privacy warning about the sensitivity of SMS/RCS content and metadata. This creates a real risk of unintended disclosure of private messages, contact information, and notification previews to external services.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The instruction to inject and run a DOM-scraping observer in the browser is broadly scoped and lacks any trigger constraints, consent checks, or exclusions. In this skill context, that means an operator could enable continuous monitoring of private SMS/RCS conversations without a clearly bounded use case, increasing the risk of unnecessary surveillance and unauthorized collection.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documentation instructs users to deploy a script that continuously watches conversations and transmits message metadata and previews to a webhook, but it does not warn about the privacy and sensitivity of SMS/RCS data. Because text messages commonly contain authentication codes, personal communications, and other sensitive content, omitting an explicit warning and consent model makes misuse and accidental over-collection much more likely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The snippets directly extract recent conversation names, message previews, and full message text from Google Messages, which is highly privacy-sensitive data. In a messaging skill this access is functionally relevant, but the file provides ready-made exfiltration-style DOM scraping examples without any user-facing warning, consent boundary, minimization guidance, or restriction on when these snippets should be used.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script automatically exfiltrates SMS/RCS metadata and message previews to a configured webhook whenever it detects an incoming message. In the context of a messaging skill, this is highly sensitive content, and the code provides no runtime consent prompt, recipient allowlist, transport enforcement, or minimization controls; by default it even permits cleartext HTTP to localhost, which could be forwarded or misconfigured.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This server forwards SMS content and sender metadata to an external notification target without any consent check, warning, access control, or data-minimization step. Because SMS messages often contain sensitive personal data, this creates a privacy leak path where private communications are automatically retransmitted to another service or chat destination.

Ssd 3

High
Confidence
99% confidence
Finding
The embedded script continuously scrapes incoming conversation data from Google Messages and forwards message previews, contact names, and timestamps to a local webhook. Even though the destination is localhost, this is still an exfiltration channel to another process and exposes sensitive communications data, including potentially secrets like one-time codes, in a way that can be repurposed or mishandled.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal