Skillv1.0.0

ClawScan security

FreeSmsGateway · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 12:46 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly does what it says (talk to a local sms-gate.app) but contains undocumented behavior that forwards incoming SMS webhooks to an OpenClaw endpoint by default and uses environment/config files not declared in the manifest — this mismatch could leak sensitive message content if you don't notice it.
Guidance: This skill appears to implement a legitimate local SMS gateway client, but be aware of hidden forwarding and local files: - The webhook receiver (scripts/webhook_server.py) automatically forwards incoming SMS payloads to OPENCLAW_WEBHOOK_URL, which defaults to http://localhost:8080/webhook unless you set OPENCLAW_WEBHOOK_URL='disabled'. SKILL.md does not document this. Before running the webhook server, explicitly set OPENCLAW_WEBHOOK_URL to 'disabled' (or to a URL you trust) if you do not want incoming message content forwarded. - The skill caches JWT tokens to .token.json in the skill directory and writes ~/.sms_gateway_last_check. These files contain sensitive data (access_token and timestamps). If you install the skill, ensure the skill directory is not world-readable and consider clearing the token file when not needed. - The skill reads a .env file in its root (auth._load_env). Follow the README guidance to create .env, but be aware credentials in .env are used directly; keep that file private. - When configuring webhooks via manage_webhooks.py, avoid registering public/unknown endpoints for sms:received unless you trust them, because message bodies can be delivered to those endpoints. - If you want to proceed: audit or modify scripts/webhook_server.py to change the default OPENCLAW_WEBHOOK_URL to 'disabled' or make forwarding opt-in, and confirm file permissions for .token.json and .env. If you are unsure, run the scripts in a controlled environment (not exposed to the internet) and review outgoing network traffic while testing.

Review Dimensions

Purpose & Capability: okName/description, required binaries (python3), and the included scripts (send, list, status, health, webhook management) are consistent with a local SMS gateway integration. The requested env vars (SMS_GATE_URL, SMS_GATE_USER, SMS_GATE_PASS) are appropriate for this purpose.
Instruction Scope: concernSKILL.md documents how to run the provided scripts but omits a runtime behavior present in the code: scripts/webhook_server.py will attempt to forward every incoming SMS webhook to an OPENCLAW_WEBHOOK_URL (default http://localhost:8080/webhook) unless that env var is explicitly set to 'disabled'. That forwarding is not documented in SKILL.md and thus is unexpected scope creep — it transmits message payloads to another HTTP endpoint by default.
Install Mechanism: okInstruction-only skill with no install spec; included code uses only Python stdlib. No remote downloads, no archive extraction, and no extra packages are pulled in by the skill.
Credentials: concernDeclared env vars (SMS_GATE_URL/USER/PASS) are proportionate. However, the code reads additional environment variables not declared in the manifest/SKILL.md (OPENCLAW_WEBHOOK_URL controls automatic forwarding) and also reads a local .env in the skill root via auth._load_env. The presence of an undeclared forwarding target is the primary proportionality concern because it can cause exfiltration of incoming SMS content to an endpoint the user did not configure in the SKILL.md.
Persistence & Privilege: noteThe skill writes a token cache (.token.json) into the skill root and a last-check state file (~/.sms_gateway_last_check) in the user's home; this is normal for caching but stores sensitive access_token in plaintext JSON. The skill is not always-enabled and does not modify other skills or system-wide settings.