Back to skill
Skillv2.0.0
VirusTotal security
Android SMS Gateway · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:23 AM
- Hash
- f3ed2f120a56080574be0a0df3b8e541bcb9e3b5a79e3eb3afab3cf3c0083a97
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: android-sms-gateway Version: 2.0.0 The skill is designed for a legitimate purpose (Android SMS gateway). However, the shell scripts (`bulk_sms.sh`, `bulk_sms_capcom6.sh`, `send_sms.sh`, `send_sms_capcom6.sh`, `receive_sms.sh`, `register_webhook_capcom6.sh`, `check_status_capcom6.sh`) exhibit multiple critical shell injection vulnerabilities. User-controlled inputs (e.g., `--message`, `--to`, `--url`, `--since`, `--id`, `--user`, `--pass`) are directly interpolated into JSON payloads, URL query parameters, URL paths, and basic authentication strings without proper escaping. This allows for arbitrary command execution if an attacker can control the input arguments passed to these scripts. While these are severe vulnerabilities, they represent implementation flaws rather than clear evidence of intentional malicious behavior by the skill developer.
- External report
- View on VirusTotal