Kim Msg Skill
PassAudited by ClawScan on May 1, 2026.
Overview
This skill is a coherent Kim messaging integration, but users should notice that it reads local Kim credentials and can send messages to users or group chats when invoked.
This appears safe for its stated purpose if you intend to let an agent send Kim notifications. Before installing, make sure the Kim app or webhook is least-privileged, protect the credential files, and require confirmation for important or sensitive messages.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If invoked, the skill can use configured Kim credentials to send messages as the associated app or bot.
The script can load Kim credentials from environment variables or local secret files. This is disclosed and purpose-aligned, but those credentials authorize message sending.
const CREDENTIAL_FILES = [ path.join(os.homedir(), '.openclaw', '.secrets'), path.join(os.homedir(), '.kim_credentials'), path.join(process.cwd(), 'kim_credentials') ];
Use least-privileged Kim credentials, keep secret files permission-restricted, and verify the target user or group before sending.
An accidental or poorly reviewed invocation could send the wrong content to the wrong Kim user or group.
The script posts user-provided message content to Kim users via API endpoints. This matches the skill purpose, but it is an external account action.
const url = `${BASE_URL}/openapi/v2/message/send`; ... username: targetUser, ... const url = `${BASE_URL}/openapi/v2/message/batch/send`; ... usernames: [targetUser]Ask the agent to confirm message text and recipient before invoking the skill, especially for group chats or business-sensitive content.
The skill may fail until required local tools are available, and users may need to install them manually.
The metadata under-declares runtime requirements even though the included scripts use Node.js, bash, curl, and jq. This affects install clarity rather than showing hidden behavior.
Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill.
Install dependencies only from trusted sources and prefer updated metadata that declares required binaries and credentials.