iResponder
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: autoresponder Version: 1.0.1 The skill is classified as suspicious primarily due to its explicit requirement for 'Full Disk Access' for Terminal/iTerm, as stated in SKILL.md and README.md. While this permission might be necessary for iMessage automation on macOS, it grants extremely broad access to the user's entire file system, significantly increasing the attack surface for potential data exfiltration or unauthorized actions if the skill were compromised or exploited. Additionally, the skill utilizes `child_process.execSync` and `spawn` in `telegram-handler.js` and `watcher.js` to execute local scripts and make external API calls (e.g., to `https://api.openai.com/v1/chat/completions`), which, while plausible for its stated purpose, represents powerful capabilities that could be abused. The core function of automatically sending messages on the user's behalf is also inherently sensitive.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted autoresponder prompt, contact name, number, or management command could run arbitrary commands on the user's machine under the agent's account.
identifier, prompt, and name are user/Telegram-controlled command fields inserted into a shell string. Embedded quotes, command substitutions, or shell metacharacters could execute unintended local commands.
execSync(`node "${MANAGE_SCRIPT}" add "${identifier}" "${prompt}" "${name}"`, { stdio: 'inherit' });Replace execSync shell strings with spawn/execFile and an argument array, validate phone numbers and numeric fields, and never pass prompts or names through a shell.
The skill can consume the user's OpenAI credits and may expose API keys or message prompt contents to local process-inspection tools while curl is running.
The script reads local Clawdbot API credentials, including keys stored under other skill names, and passes the bearer token and prompt payload to curl as process arguments.
const configPath = path.join(os.homedir(), '.clawdbot', 'clawdbot.json'); ... apiKey = config.skills?.['openai-whisper-api']?.apiKey || config.skills?.['openai-image-gen']?.apiKey; ... '-H', `Authorization: Bearer ${apiKey}`, '-d', payloadDeclare a dedicated credential requirement, use a skill-specific API key, avoid borrowing keys from unrelated skills, and call the API through a library or stdin-based request path that does not expose secrets in command arguments.
Anyone who can issue commands through the connected Telegram control path may be able to change who receives auto-replies, inspect recent response history, or restart the background process.
Telegram management can add/remove contacts, edit prompts, view history, toggle the system, and restart the watcher, but the provided artifacts do not show an authorization or allowed-chat boundary for those remote commands.
The auto-responder can be managed directly through Telegram using slash commands or natural language.
Require explicit Telegram chat/user allow-lists, role checks, and confirmations for history access, prompt changes, contact additions, bulk changes, and restarts.
Private conversation content from watched contacts may leave the device for AI processing, and sensitive details may also appear in local logs or generated-response history.
Recent iMessage/SMS conversation history is assembled into the model prompt and sent to OpenAI for response generation.
const historyText = messageHistory.slice(0, 5) ... messages: [{ role: 'user', content: prompt }]Use the smallest needed history window, disclose provider processing clearly, avoid watching sensitive contacts, redact secrets where possible, and review logs regularly.
A contact's message could try to manipulate the model into ignoring the user's intended prompt or sending an inappropriate response.
Untrusted text from a contact is placed directly into the model prompt that produces the outbound reply.
Latest message from ${contact.name || contact.identifier}:\n${incomingMessage.text || '[attachment]'}\n\nGenerate a response now:Treat incoming messages as untrusted data, separate system instructions from quoted conversation text, use conservative prompts, and enable keyword, time-window, daily-cap, or test-mode controls.
The auto-responder can continue monitoring and sending messages after the setup command completes.
The launcher starts a persistent background watcher and stores its PID for later status/stop operations.
nohup node "$WATCHER_SCRIPT" >> "$LOG_FILE" 2>&1 & echo $! > "$PID_FILE"
Start it only when intended, verify status regularly, know how to stop it, and consider launch-time confirmation before enabling background operation.
Users may not realize before installation that this skill requires sensitive local permissions and external tooling.
The registry metadata under-declares the actual documented environment needs, including macOS, imsg, OpenAI credentials, and Full Disk Access.
No install spec — this is an instruction-only skill; Required binaries: none; Required env vars: none; Primary credential: none; OS restriction: none
Update metadata to declare macOS-only operation, imsg, Node script execution, OpenAI credential use, Messages/Full Disk Access permissions, and background-process behavior.