Android SMS Gateway
PassAudited by ClawScan on May 10, 2026.
Overview
The skill appears to do what it claims—control an Android SMS gateway—but it can send bulk texts, read incoming SMS, use gateway credentials, and register webhooks, so it should be configured carefully.
Install only if you intend to let OpenClaw control an Android SMS gateway. Before use, protect the gateway token/password, keep the gateway on a trusted network, prefer local/private-server mode, verify every recipient list before sending, and use webhook forwarding only to trusted HTTPS endpoints.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent or user could send real SMS messages, including bulk messages, to selected recipients.
The skill intentionally supports sending SMS, including bulk sends from a recipient file. This is consistent with the stated purpose, but it can incur costs or contact many people if run without careful review.
./scripts/bulk_sms.sh --recipients-file ./contacts.txt --message "Alert"
Use dry-run first for bulk sends, verify recipient lists and message text, and require explicit user approval before sending real SMS.
Anyone who obtains the gateway token or password may be able to send SMS or access gateway functions.
The integration needs SMS gateway credentials, either bearer tokens or basic-auth username/password. This is expected, but those credentials can control SMS sending and message access.
"api_token": "your-api-token" ... "gateway_user": "your-username", "gateway_pass": "your-password"
Store credentials in a protected config file, avoid putting secrets in shell history or shared chats, restrict gateway network access, and rotate credentials if exposed.
Received SMS messages can be sent to an external webhook endpoint and may keep flowing there after registration.
The webhook feature forwards incoming SMS events to a user-specified URL. This is disclosed and useful, but incoming SMS may contain sensitive content such as one-time codes or private messages.
Webhook URL must be publicly accessible ... For testing, use https://webhook.site ... Payload will be POSTed to your webhook URL.
Use only trusted HTTPS webhook endpoints, avoid third-party test endpoints for sensitive messages, authenticate/validate webhook receivers, and delete webhooks when no longer needed.
If cloud mode is used, SMS-related requests and credentials may go to the external sms-gate.app service rather than only a local phone.
The documentation emphasizes self-hosting and no third-party dependency, but it also supports an optional cloud API endpoint. The cloud mode is disclosed, but users should not assume all modes are fully local.
Full control, no third-party dependencies ... export SMS_GATEWAY_URL="https://api.sms-gate.app/3rdparty/v1" # Cloud
Use local or private-server mode for self-hosted operation, and review the provider’s security and privacy terms before using cloud mode.
Users have less provenance information for deciding whether the bundled scripts come from a trusted maintainer.
The provided artifacts include scripts, but registry provenance is limited and no homepage/source repository for the skill itself is declared.
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.
Review the included scripts before use and obtain the Android gateway app only from the intended upstream project or a trusted release source.