Security audit

FreeSmsGateway

Security checks across malware telemetry and agentic risk

Overview

This SMS skill mostly matches its purpose, but it handles real text messages and exposes/forwards incoming SMS webhooks with too little protection and disclosure.

Install only if you are comfortable giving an agent access to an SMS-capable device. Keep the gateway on a trusted network, protect .env and .token.json, require manual approval before sends or webhook changes, avoid exposing the receiver publicly unless you add authentication, and set OPENCLAW_WEBHOOK_URL=disabled unless forwarding inbound SMS content is intentional.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Tainted flow: 'req' from os.environ.get (line 26, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: headers={'Content-Type': 'application/json'}, method='POST' ) urllib.request.urlopen(req, timeout=5) except Exception as e: print(f" ⚠️ Could not forward to OpenClaw: {e}")
Confidence: 92% confidence
Finding: urllib.request.urlopen(req, timeout=5)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill declares no explicit permissions while its documented behavior requires access to environment secrets, network connectivity, shell execution, and likely file operations. That mismatch weakens review and consent boundaries: a user or platform may approve the skill without realizing it can transmit SMS content, use stored credentials, and expose local services.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 88% confidence
Finding: The documented purpose sounds like a straightforward local SMS integration, but the behavior expands into running a webhook receiver, exposing it through ngrok, forwarding inbound SMS payloads, and collecting device health telemetry. That broader behavior materially changes the risk profile because it can move sensitive incoming SMS off-device or onto externally reachable infrastructure without being prominently disclosed.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The server forwards inbound SMS webhook payloads to an external endpoint unrelated to the stated core purpose of locally handling SMS gateway events. This creates an unnecessary secondary data channel for sensitive SMS content and metadata, which is especially dangerous because users may reasonably expect local-only processing from the skill description.

Intent-Code Divergence

Low

Confidence: 74% confidence
Finding: The docstring describes a simple webhook receiver, but the implementation also forwards SMS payloads elsewhere, creating a documentation/behavior mismatch. That mismatch is security-relevant because it can conceal sensitive-data transmission from reviewers or users and reduce informed consent around handling of incoming SMS.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README explicitly instructs users to expose the webhook receiver through ngrok for incoming SMS, but does not warn that message contents and sender metadata will traverse and be accessible through a third-party tunneling provider. In the context of SMS, this can expose sensitive personal data, authentication codes, and other private communications, making the omission a real security issue even though it is documentation-level rather than code execution.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The instructions recommend exposing incoming SMS via ngrok or a local webhook endpoint without any warning about the sensitivity of SMS contents, webhook authentication, replay protection, or public endpoint hardening. Because SMS often carries OTPs, personal data, and account recovery links, publishing a receiver or forwarding those payloads can create a direct confidentiality risk if the endpoint is guessed, logged, misconfigured, or intercepted.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The API reference explicitly uses plain HTTP to transmit SMS content, phone numbers, and Basic Auth credentials to a local service, which exposes sensitive data and credentials to interception by any attacker with local network visibility. In the context of an SMS gateway, this is particularly risky because message bodies, recipient metadata, and authentication secrets are all privacy-sensitive and could enable unauthorized message sending or surveillance.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The code caches a bearer token in .token.json on disk without setting restrictive file permissions or offering any disclosure about persistent credential storage. On multi-user systems or shared skill directories, another local process or user may be able to read and reuse the token until expiry.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: Incoming SMS payloads are forwarded without any explicit user-facing disclosure, and the default endpoint uses plain HTTP, which can expose message contents and metadata in transit. In an SMS gateway skill, this is particularly sensitive because text messages often contain personal information, one-time codes, and account-related data.

Missing User Warnings

Low

Confidence: 81% confidence
Finding: The test sends a real SMS when TEST_PHONE_NUMBER is set, but the execution point itself does not present an explicit warning or require an additional confirmation. In CI or shared developer environments, this can lead to unintended message transmission, minor cost, noise, or privacy issues if someone enables the variable without realizing the side effect.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal