ClawHub

Imessage Skill

Security checks across malware telemetry and agentic risk

Overview

The skill’s iMessage automation is mostly disclosed, but it includes a persistent, opt-in remote-control channel over Messages that can run local commands and auto-reply without per-command local approval.

Install only if you are comfortable letting OpenClaw read recent Messages data and send iMessages from your Mac. Keep remote control disabled unless you specifically need it, use a very small admin contact list, avoid broad trusted-contact entries, and review the local logs and configuration after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
end tell
            '''
            
            result = subprocess.run(
                ['osascript', '-e', applescript],
                capture_output=True,
                text=True,
Confidence
98% confidence
Finding
result = subprocess.run( ['osascript', '-e', applescript], capture_output=True, text=True, timeout=30 )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
end tell
            '''
            
            result = subprocess.run(
                ['osascript', '-e', applescript],
                capture_output=True,
                text=True,
Confidence
98% confidence
Finding
result = subprocess.run( ['osascript', '-e', applescript], capture_output=True, text=True, timeout=30 )

Intent-Code Divergence

High
Confidence
91% confidence
Finding
The module documentation frames the skill as a messaging utility, but the implementation also supports remote control of the local OpenClaw environment via inbound messages. That mismatch hides a materially different capability from reviewers and users, reducing informed consent and making abuse harder to anticipate.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This code implements remote command/control of the local OpenClaw environment through incoming iMessages. Even with an admin list and allowlist, exposing local system operations to a chat channel creates a dangerous control plane that can be abused through account compromise, misconfiguration, or trust-boundary mistakes.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Incoming messages are parsed as commands, can trigger local subprocess execution, and automatically send results back to the sender. This creates a bidirectional remote administration channel over iMessage, significantly expanding the attack surface and enabling unauthorized information disclosure or operational control if the messaging account or admin trust is compromised.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README documents capabilities to send messages, read recent messages, and access contacts via the macOS Messages app, but it does not warn users that the skill can access private communications, contact data, and perform account-impacting actions. In an agent/automation context, this omission is risky because users may install or invoke the skill without understanding the privacy implications or the need for explicit consent before reading or sending message content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code sends remote-control replies with `force=True`, bypassing the normal send authorization and confirmation checks. This means inbound messages can cause automatic outbound communication without user awareness, which weakens the safety model and can be abused for data leakage or unwanted messaging.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list contains very generic phrases such as "iMessage", "发消息", "send message", and "最近消息", which are likely to match ordinary user requests that are not explicitly intended for this skill. Because the skill exposes an exec-capable entry point and can interact with Messages on macOS, accidental invocation could cause unintended message access or message-sending actions in a sensitive communications context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal