ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Verifying Phones

v1.0.0

Verifies phone numbers via SMS OTP using the Sendly Verify API. Sends codes, checks codes, handles expiry, and provides hosted verification sessions. Applies...

0· 54·0 current·0 all-time
by@sendly-live
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Pending
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name and description (SMS OTP via Sendly) match the SKILL.md examples: send, check, resend, and hosted sessions are all documented. The claimed capability is internally consistent with the API calls shown.
!
Instruction Scope
The runtime instructions repeatedly reference an environment variable (SENDLY_API_KEY) and show curl/SDK calls that require that secret, but the skill's metadata lists no required env vars or primary credential. The instructions do not attempt to read unrelated system files, but they do rely on a credential that is not declared in the registry metadata.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, which minimizes install-time risk.
!
Credentials
The skill needs an API key to function (SENDLY_API_KEY is used throughout), which is proportionate to the task. However, the registry metadata declares no required credentials or primaryEnv, so the skill's declared environment requirements are incomplete/mismatched. That omission increases risk because a user may not realize they must provide a secret.
Persistence & Privilege
The skill is not marked always:true, does not request persistent system-wide changes, and does not declare access to other skills' configs.
What to consider before installing
This skill appears to be a straightforward wrapper for the Sendly Verify API, but the SKILL.md expects you to provide SENDLY_API_KEY while the skill metadata lists no required env vars. Before installing: 1) Treat this as needing your Sendly API key—only provide a key to this skill if you trust the publisher. 2) Prefer using a test/sandbox key (sk_test_*) initially. 3) Ask the publisher to update the registry metadata to declare SENDLY_API_KEY as a required credential and to provide a homepage or source repository so you can verify the code/author. 4) Verify the API domain (sendly.live) and documentation links independently. 5) If you integrate hosted sessions, ensure your server validates redirect tokens server-side as the doc suggests. If the publisher can't explain the missing metadata or provide a repo/homepage, treat the skill as higher risk and avoid giving it production credentials.

Like a lobster shell, security has layers — review code before you run it.

latestvk9716cf03df0d3fqh2c8x1t79x844v6n

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments