message-send

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward guide for sending chat messages through OpenClaw, with the main risk being that sent text, media, and payloads go to external chat services.

Install this only if you want your agent to help send messages through configured chat accounts. Before sending, verify the channel, account, recipient or group ID, and payload contents; use `--dry-run` for complex messages, and avoid sending secrets, credentials, personal data, or confidential files unless you intentionally approve sharing them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The skill operationalizes sending messages, media, and structured payloads to external chat platforms without any guidance on privacy, consent, data classification, or review of content before transmission. In a messaging skill, that omission increases the chance that users will transmit sensitive data, personal information, or confidential files to the wrong recipient or channel, especially because the workflow emphasizes discovery of targets and rapid sending.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal