ClawHub

iResponder

Security checks across malware telemetry and agentic risk

Overview

This skill matches its iMessage auto-reply purpose, but it needs review because it can read private message history, send it to AI providers, automatically text people, log message contents, and exposes an unsafe command-execution path.

Review carefully before installing. Only use this with contacts and conversations where automatic AI replies are acceptable, assume message text and recent history may leave the device for AI processing, and do not use it for sensitive conversations. Use narrow contact allowlists, nonzero delays, keyword triggers, daily caps, and test mode. Avoid running Telegram management commands with untrusted input until the execSync shell-command construction is fixed, and consider disabling or redacting plaintext logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation inconsistently states the skill uses OpenAI GPT-4/OpenAI API keys in some places and Anthropic/OPENAI_API_KEY in others. Conflicting provider guidance can cause operators to misconfigure secrets, send data to an unintended third party, or misunderstand where private message content is being transmitted. Because the skill handles SMS/iMessage content, this ambiguity directly affects privacy and compliance decisions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code reads API credentials from an unrelated ~/.clawdbot configuration file, creating cross-skill secret access and violating least privilege. A skill that can silently reuse another component's secrets increases blast radius if compromised and may exfiltrate or misuse credentials the user did not intend to share with this handler.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The watcher reads an Anthropic API key from ~/.clawdbot/clawdbot.json, expanding its access beyond its own configuration and implicitly reusing credentials from another tool. This creates an unnecessary cross-application secret access path: if a user enables this skill without understanding that behavior, the skill can exfiltrate private message content using credentials the user did not explicitly provide for this skill.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code reads API keys from unrelated local Clawdbot skill configuration entries instead of limiting itself to credentials explicitly provisioned for this auto-responder. That expands the skill's access beyond its stated purpose and creates unnecessary cross-skill credential exposure if this watcher is compromised or misused.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README states that the tool is context-aware and uses OpenAI GPT-4 to generate replies, which implies recent message history and contact communications may be transmitted to a third-party API. Although the document includes general privacy/ethics guidance, it does not clearly and explicitly warn users that private iMessage/SMS content may be sent off-device to OpenAI, creating a meaningful privacy and consent risk.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The natural-language matching guidance is broad enough that ordinary conversational phrases like 'disable auto-responder' or 'restart auto-responder' could be interpreted as operational commands without a clearly bounded command mode or confirmation flow. In a chat-driven system, that raises the risk of accidental or adversarial triggering of sensitive actions such as configuration changes, contact removal, or service restarts.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill handles highly sensitive communications but does not clearly and prominently warn that message contents and conversation history are transmitted to an external AI provider. Users may enable it believing replies are local or only automation-based, leading to unconsented disclosure of private SMS/iMessage data to third parties. The context makes this especially dangerous because personal communications often contain secrets, financial details, or regulated information.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The keyword list includes the broad term "help," which commonly appears in ordinary conversations and can cause the autoresponder to trigger unintentionally. In a messaging auto-reply skill, this increases the chance of unsolicited AI-generated responses, privacy leakage from unnecessary context processing, and spammy or inappropriate replies to normal messages.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The CLI exposes bulk operations like set-all-delays, enable-all, and disable-all that immediately modify every managed contact without any confirmation, dry-run, or rollback. In an auto-responder context, an accidental invocation or mis-typed command can disable protections or mass-enable AI replies across all contacts, causing privacy, reputational, or operational harm at scale.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The test-response feature packages contact names, identifiers, prompts, and message content into a request sent to OpenAI, which can include sensitive personal communications. In an iMessage/SMS auto-responder context, this is especially sensitive because users may reasonably expect private message content to remain local unless explicit consent and disclosure are provided.

Missing User Warnings

High
Confidence
97% confidence
Finding
The code sends incoming message text and recent chat history to api.anthropic.com to generate replies, but there is no visible consent, notice, redaction, or per-contact approval flow in the watcher itself. Because this skill operates on private iMessage/SMS content, silent transmission to a third-party model provider materially increases privacy and data leakage risk.

Missing User Warnings

High
Confidence
95% confidence
Finding
The watcher automatically sends messages on the user's behalf immediately after generating them, with no confirmation, preview, allowlist enforcement beyond config, or safety interlock for unexpected content. In the context of an iMessage/SMS autoresponder, this can cause reputational harm, accidental disclosure, harassment, or policy-violating outbound messages at scale.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The watcher sends recent message history and the latest incoming message to the OpenAI API, which is an external third party, without any consent gate, disclosure, or data-minimization in this file. In the context of private iMessage/SMS conversations, this creates a meaningful privacy and compliance risk because sensitive personal communications may be transmitted off-device automatically.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script can automatically send iMessages based on generated model output with no interactive confirmation or approval step. Even if intended as automation, this can cause unintended, misleading, or harmful outbound messages, especially because responses are generated from potentially ambiguous conversation context.

Ssd 3

High
Confidence
98% confidence
Finding
The watcher logs plaintext incoming messages and generated responses to a persistent log file, while also forwarding conversation content to the language model. This compounds exposure by storing sensitive communications locally in readable form and transmitting them externally, increasing the blast radius of device compromise, log access, or accidental disclosure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal