ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CMI CPaaS - WhatsApp OTP Sender

v1.0.2

Send WhatsApp OTP (one-time password) messages via CMI OmniChannel RCS API. Use when user asks to send verification code, OTP, or authentication code via Wha...

0· 344·0 current·0 all-time
byCMI CPaaS@picccabo-art

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for picccabo-art/whatsapp-otp.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "CMI CPaaS - WhatsApp OTP Sender" (picccabo-art/whatsapp-otp) from ClawHub.
Skill page: https://clawhub.ai/picccabo-art/whatsapp-otp
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install whatsapp-otp

ClawHub CLI

Package manager switcher

npx clawhub@latest install whatsapp-otp
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description match the included Python and shell scripts and the runtime instructions. The requested inputs (AccessKeyId, AccessKeySecret, ApplicationName, ApplicationSecret, recipient, OTP) are appropriate and required for the API calls the skill performs.
!
Instruction Scope
SKILL.md and the scripts instruct the agent to clear proxy environment variables and to disable certificate verification / use a permissive SSL context to contact https://cpaas-rcs.cmidict.com:7081. These actions are outside normal best practices and reduce transport security (MITM risk), though they are documented and appear intended to work around a server with a bad TLS configuration.
Install Mechanism
No install spec or external downloads; the skill is instruction+bundled local scripts only. No third‑party packages are fetched at install time (the Python script requires 'requests' but only checks for it at runtime).
Credentials
The skill requires tenant credentials (AccessKeyId/AccessKeySecret and app secret) which are proportionate to sending OTPs. It does modify proxy environment variables within the process and the shell version uses curl --noproxy '*'; this affects only the process but may bypass corporate proxies and access controls — a security tradeoff explained in the SKILL.md.
Persistence & Privilege
The skill is not always-enabled, does not request platform-level persistence, and does not modify other skills or system-wide agent settings.
Assessment
This skill appears to do exactly what it claims, but it contains an explicit workaround that weakens network security: the Python script disables SSL certificate verification and the scripts avoid proxies to reach a server with a broken TLS configuration. Before installing or providing credentials: 1) Verify you trust the API provider (cpaas-rcs.cmidict.com) and the tenant you will use. 2) Prefer not to reuse long‑lived credentials; use short‑lived or scoped keys if possible and rotate them after testing. 3) Run the scripts in a controlled/sandboxed environment first to confirm behavior. 4) Ask the provider to fix their certificate configuration so you can re-enable standard verification and proxy traversal. 5) Ensure the agent or environment won't log or leak the AccessKeySecret or ApplicationSecret (avoid pasting secrets into public chat). If you cannot accept disabling TLS verification or bypassing your corporate proxy, do not use this skill until the API endpoint is corrected or the scripts are adapted to your environment.

Like a lobster shell, security has layers — review code before you run it.

latestvk9790prjr3421vywhq4hhzyw2582ca60
344downloads
0stars
3versions
Updated 1d ago
v1.0.2
MIT-0
CMI CPaaS@picccabo-art
latest
Download

WhatsApp OTP Sender

Purpose

Send one-time password (OTP) messages through WhatsApp using the CMI OmniChannel RCS platform.

Quick Start

When user requests to send a WhatsApp OTP:

  1. Ask for credentials (if not already provided):

    • AccessKeyId
    • AccessKeySecret
    • ApplicationName (default: "default")
    • ApplicationSecret

  2. Ask for required parameters:

    • To: Recipient phone number with country code, no + prefix (e.g., 8613800138000)
    • otp_code: The verification code to send (e.g., "123456")

    Important phone number format:

    • From (sender): +8618247665684 (with + prefix)
    • To (recipient): 8613800138000 (without + prefix)

  3. Use the script: Call the Python script to send the message

    python scripts/send_whatsapp_otp.py \
  --access-key-id "$ACCESS_KEY_ID" \
  --access-key-secret "$ACCESS_KEY_SECRET" \
  --app-name "$APPLICATION_NAME" \
  --app-secret "$APPLICATION_SECRET" \
  --to "$TO_NUMBER" \
  --otp "$OTP_CODE"

Fixed Configuration

  • Template Name: test_otp_cn_111501 (pre-configured in backend)
  • From Number: +8618247665684 (with + prefix)
  • Type: template
  • Language: zh_CN
  • Components:
    • body: Contains OTP code parameter
    • button: URL button with index 0

API Endpoint

  • URL: https://cpaas-rcs.cmidict.com:7081/singleSend
  • Method: POST
  • Headers: Content-Type: application/json

Security Considerations

Important Notes:

  1. SSL Certificate Verification: The script uses a custom SSL adapter with permissive settings (check_hostname=False, verify_mode=CERT_NONE) to connect to the API endpoint. This is necessary because the CMI OmniChannel RCS API endpoint (cpaas-rcs.cmidict.com:7081) has a non-standard SSL/TLS configuration that causes connection failures with standard verification.

  2. Proxy Settings: The script clears all proxy environment variables (http_proxy, https_proxy, etc.) to ensure direct connection to the API endpoint. This is required because:

    • The API endpoint may not be accessible through certain proxies
    • Proxy configurations in user environments can cause connection timeouts
    • Direct connection provides more reliable operation

Security Impact: These configurations are evaluated as medium risk. The script only affects communication with this specific API endpoint and does not impact other connections.

Recommendation: Work with your operations team to:

  1. Investigate the SSL/TLS configuration of cpaas-rcs.cmidict.com:7081
  2. Test if the API endpoint is accessible through your corporate proxy
  3. Request the API provider to fix their certificate configuration
  4. Re-enable standard SSL verification and proxy support once the endpoint is compliant

Current Workaround: The script includes inline comments documenting the reasoning for these security settings.

Authentication

This API uses tenant-based authentication:

  • AccessKeyId: Tenant identifier (e.g., PAID_1881A95CE7AEDA00H204B)
  • AccessKeySecret: Tenant secret key (Base64 encoded)
  • Timestamp: Auto-generated by script (ISO8601 UTC format, valid for 15 minutes)

Important: Do NOT manually provide timestamp. The script will generate it automatically at runtime.

Response

Successful response (Code: 0):

{
  "Code": 0,
  "Message": "OK",
  "Timestamp": "2023-01-01T12:00:00Z",
  "From": "+8618247665684",
  "To": "8613800138000",
  "BizId": "MDPG177BBCFD8301E42FH144E"
}

Error response (Code != 0):

{
  "Code": 11998,
  "Message": "ERRCODE_invalid_parameter 120",
  "Timestamp": "2023-08-17T10:01:49Z"
}

Usage Example

User: "Send a WhatsApp OTP to 8614749386918 with code 123456"

Assistant: "I'll need your API credentials to send the WhatsApp OTP. Please provide:

  • AccessKeyId
  • AccessKeySecret
  • ApplicationName (or use 'default')
  • ApplicationSecret"

[User provides credentials]

[Assistant calls the script and reports result]

Comments

Loading comments...