Sending SMS
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is a straightforward Sendly SMS guide, but users should be careful because it can send real or bulk texts, spend credits, and requires an API key not declared in metadata.
Before installing or using this skill, make sure you trust the Sendly service and SDK, use a test key first, and require confirmation before any live, scheduled, marketing, or batch SMS send. Treat phone numbers, message contents, and the Sendly API key as sensitive.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used with a live key, the agent could send real texts, including large batches, and those messages may cost money or create compliance issues.
The skill can send real and bulk SMS messages through the provider API. This is central to the stated purpose and disclosed, but mistakes could message many recipients or spend credits.
`sk_live_*` keys → production (real SMS on verified numbers) ... Up to 10,000 recipients per batch.
Use sandbox keys for testing, require explicit user confirmation for live/batch/scheduled/marketing sends, and verify recipients, message type, and consent before sending.
A Sendly API key grants the ability to use the account’s SMS functions, potentially including sending and reading message-related data depending on provider permissions.
The API key is expected for Sendly access, but the supplied registry metadata declares no required env vars or primary credential, so users may not notice the credential requirement from metadata alone.
All requests require a Bearer token. Store the API key in `SENDLY_API_KEY` env var.
Declare the required credential in metadata, use the least-privileged Sendly key available, and avoid exposing the key in prompts, logs, or shared files.
Installing the SDK would add third-party code to the local environment if the user chooses the Node.js path.
The optional SDK setup uses an unpinned npm package and is not represented in an install spec. This is purpose-aligned documentation, not automatic installation, but users should still verify the package source.
npm install @sendly/node
Install only from the expected package registry, consider pinning a known-good version, and review package provenance before using it in production.