Kakaotalk
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill matches a KakaoTalk AI bot, but Relay mode can let an unverified public webhook drive a local worker that reads memory, calls Gemini, and replies through request-supplied URLs.
Basic mode is comparatively straightforward. Use Relay mode only if you are comfortable exposing a bot webhook, running a local worker, and sending selected local memory to Gemini. Before installing, use a dedicated Supabase project or scoped backend, enable Kakao request verification, validate callback URLs, keep MEMORY.md free of secrets, and do not run the launchd/ngrok scripts unless you want a persistent or publicly reachable local service.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone who can reach the deployed webhook could submit fake Kakao-shaped requests, consume API/LLM resources, and cause the local relay to send generated answers to an attacker-chosen callback URL.
In Relay mode, the public Vercel handler queues a request-supplied utterance and callback URL. The provided file shows no Kakao signature verification, origin check, rate limit, or callback allow-list before trusting that work item.
callback_url = user_request.get("callbackUrl", "") ... if _save_to_queue(user_id, utterance, callback_url): self._send_json({"version": "2.0", "useCallback": True})Require Kakao signature or shared-secret verification at the Vercel endpoint, validate callback URL hosts, rate-limit requests, and reject unauthenticated Relay jobs before the local watcher processes them.
Private notes or secrets in MEMORY.md may be sent to Gemini and could be reflected into Kakao callback responses, especially if a malicious or mistaken prompt asks the bot to reveal its memory.
The local watcher reads persistent OpenClaw memory and includes it in a Gemini request for queued messages. The artifacts do not show redaction, per-message consent, or prompt-injection safeguards for that memory.
memory_path = os.path.expanduser("~/.openclaw/workspace/MEMORY.md") ... memory_context = f.read()[:2000] ... return _call_gemini_direct(system_prompt, utterance)Make memory sharing explicitly opt-in, show the exact file being read, redact secrets, isolate memory as untrusted context, and avoid sending local memory to external providers unless the user approves.
If the key is leaked or abused through the relay, it may allow broader Supabase database access than this single queue workflow needs.
Relay mode asks for a Supabase Service Role Key, which is typically broad project-level authority, but the artifacts do not bound it to only the kakaotalk_queue table or provide least-privilege guidance.
SUPABASE_SERVICE_KEY (optional) - [Relay 모드] Supabase Service Role Key
Use a dedicated Supabase project or least-privilege backend/RPC for this skill, restrict table access with RLS where possible, keep service-role keys only on trusted servers, and rotate keys after testing.
The local Kakao webhook server may continue running after setup and across logins, which can be useful but also increases exposure if paired with ngrok or missing webhook authentication.
If the user manually runs this script, it installs a launchd service that starts the local server at login and keeps it available.
PLIST_PATH="$HOME/Library/LaunchAgents/${LABEL}.plist" ... <key>KeepAlive</key> ... <key>RunAtLoad</key><true/> ... launchctl load -w "$PLIST_PATH"Run the service installer only if you want persistent background operation, keep the unload command handy, and avoid exposing the server publicly without signature verification.