Security audit

SMS Gateway

Security checks across malware telemetry and agentic risk

Overview

This is a clear SMS gateway integration, but it can send real texts and checking messages changes unread messages to read.

Install only if you trust the self-hosted SMS Gateway service and review the upstream installer first. Customize the allowlist, protect the .env API key with restrictive permissions or a secret manager, confirm recipient/message text before sending, and remember that running the receive command marks displayed unread SMS messages as read.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (6)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill clearly instructs use of local shell scripts and external binaries (`curl`, `jq`) but does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: a caller or platform may treat the skill as lower risk than it really is, while it can still trigger message sending/reading actions via shell execution.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script's receive path has a side effect: after listing messages, it automatically marks any message with status "received" as read. This violates the expected semantics of a read-only inbox retrieval operation and can destroy workflow state, causing users or downstream automations to miss unread messages or lose audit visibility of which messages were actually reviewed.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The README instructs users to place a live API key in a local .env file but gives no guidance on protecting that file, restricting permissions, or keeping it out of version control. If the workspace is shared, backed up, or accidentally committed, the key could be exposed and used to send/read SMS through the gateway.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill notes elsewhere that unread messages are automatically marked as read, but the usage guidance does not surface this as a prominent warning before invoking inbox reads. That can cause unintended state changes and loss of unread status, which is security-relevant because reading evidence or user communications alters records without clear user consent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Automatically changing message state without prior warning or opt-in is a hazardous design choice in an SMS management skill, especially because operators may invoke a receive action expecting it to be non-destructive. In this context, message read/unread state is operationally meaningful, so silently altering it can interfere with incident handling, support workflows, and message triage.

Session Persistence

Medium

Category: Rogue Agent
Content: ## Setup Before using this skill, create a `.env` file in the `~/.openclaw/workspace/skills/sms-gateway/scripts` directory with the following variables: ```text SMS_GATEWAY_URL=http://127.0.0.1:5174
Confidence: 90% confidence
Finding: create a `.env` file in the `~/.openclaw/workspace/skills/sms-gateway/scripts` directory with the following variables: ```text SMS_GATEWAY_URL=http://127.0.0.1:5174 SMS_GATEWAY_API_KEY=your-api-key-h

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal