ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Sending SMS

v1.0.0

Sends SMS messages via the Sendly API with the Node.js SDK or REST API. Handles single messages, batch sends, scheduling, conversations, and sandbox testing....

0· 8·0 current·0 all-time
by@sendly-live
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
!
Purpose & Capability
The SKILL.md describes sending SMS via Sendly and shows code using process.env.SENDLY_API_KEY and npm installation of @sendly/node, but the registry metadata lists no required environment variables, no primary credential, and no required binaries. Requiring an API key and an SDK is expected for this purpose, but the manifest fails to declare them.
Instruction Scope
The runtime instructions stay on-topic (curl examples, SDK usage, scheduling, batch sends, sandbox numbers, and API docs). They instruct the agent to read SENDLY_API_KEY from environment, which is appropriate for operation but is not declared in the skill metadata — this gap is the main scope concern. The instructions do not ask for unrelated system files or credentials.
Install Mechanism
This is an instruction-only skill with no install spec or code files, which is low-risk in itself. The SKILL.md recommends using the @sendly/node npm package, which is reasonable, but the skill does not declare that dependency or provide an install step in its metadata.
!
Credentials
The instructions require an API key stored in SENDLY_API_KEY (sk_test_* or sk_live_*), but the skill metadata declares no required env vars or primary credential. A credential is required for the described functionality; the omission is disproportionate and unexpected. Also note that live keys could incur costs and send real SMS if used.
Persistence & Privilege
The skill does not request always:true or elevated persistence and is user-invocable only. Autonomous invocation is allowed (platform default), which combined with an undeclared API key would let the agent send messages using whatever SENDLY_API_KEY is present — this is a caution but not a metadata privilege misconfiguration.
What to consider before installing
Key issues: the SKILL.md requires SENDLY_API_KEY and shows npm SDK usage, but the skill manifest does not declare those requirements and the source/homepage are unknown. Before installing: (1) Do not put a live Sendly API key into an agent unless you trust the skill — use a sandbox/test key (sk_test_*) for evaluation. (2) Verify the Sendly domain and the @sendly/node package exist and are legitimate (check npm and the sendly.live docs/openapi links). (3) Ask the publisher to update the metadata to declare SENDLY_API_KEY and required tooling (Node/npm) or decline installation. (4) Remember an API key in the environment could be used autonomously by the agent to send messages (and incur costs); restrict scope/permissions and rotate keys if you test with a real key.

Like a lobster shell, security has layers — review code before you run it.

latestvk9769rvpr5wbeqxt4qme338s79840306

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

Sending SMS with Sendly

Quick start

import Sendly from "@sendly/node";

const sendly = new Sendly(process.env.SENDLY_API_KEY!);

const message = await sendly.messages.send({
  to: "+15551234567",
  text: "Your order has shipped!",
  messageType: "transactional",
});

Authentication

All requests require a Bearer token. Store the API key in SENDLY_API_KEY env var.

  • sk_test_* keys → sandbox mode (no real SMS sent, no credits charged)
  • sk_live_* keys → production (real SMS on verified numbers)

REST API

Base URL: https://sendly.live/api/v1

Send a message

curl -X POST https://sendly.live/api/v1/messages \
  -H "Authorization: Bearer $SENDLY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"to": "+15551234567", "text": "Hello!", "messageType": "transactional"}'

Required fields: to (E.164 format), text, messageType (transactional or marketing)

Optional fields: metadata (object, max 4KB), from (sender ID)

Response shape

{
  "id": "msg_abc123",
  "to": "+15551234567",
  "text": "Hello!",
  "status": "sent",
  "segments": 1,
  "creditsUsed": 2,
  "createdAt": "2026-03-31T10:00:00Z"
}

Schedule a message

curl -X POST https://sendly.live/api/v1/messages/schedule \
  -H "Authorization: Bearer $SENDLY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"to": "+15551234567", "text": "Reminder!", "messageType": "transactional", "scheduledAt": "2026-04-01T14:00:00Z"}'

Schedule window: 5 minutes to 5 days in the future.

Batch send

curl -X POST https://sendly.live/api/v1/messages/batch \
  -H "Authorization: Bearer $SENDLY_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"messages": [{"to": "+15551234567", "text": "Hello"}, {"to": "+15559876543", "text": "Hi"}], "messageType": "transactional"}'

Up to 10,000 recipients per batch.

List messages

curl "https://sendly.live/api/v1/messages?limit=50" \
  -H "Authorization: Bearer $SENDLY_API_KEY"

Supports limit, offset, status, q (full-text search).

Node.js SDK

npm install @sendly/node

import Sendly from "@sendly/node";

const sendly = new Sendly(process.env.SENDLY_API_KEY!);

const msg = await sendly.messages.send({ to: "+15551234567", text: "Hello!", messageType: "transactional" });
const scheduled = await sendly.messages.schedule({ to: "+15551234567", text: "Later!", messageType: "transactional", scheduledAt: "2026-04-01T14:00:00Z" });
const batch = await sendly.messages.batch({ messages: [{to: "+15551234567", text: "Hi"}], messageType: "transactional" });
const list = await sendly.messages.list({ limit: 50 });
const single = await sendly.messages.get("msg_abc123");

Message types

  • transactional: OTP codes, order confirmations, appointment reminders, account alerts. Allowed 24/7.
  • marketing: Promotions, sales, newsletters. Subject to quiet hours (9pm–8am recipient local time).

Misclassifying marketing as transactional violates TCPA.

Sandbox testing

Use sk_test_* keys with magic phone numbers:

NumberBehavior
+15005550000Always succeeds
+15005550001Invalid number error
+15005550002Cannot route error
+15005550006Carrier rejected

Credit costs

  • US/CA: 2 credits per SMS ($0.02)
  • International: varies by country (2–48 credits)
  • 1 credit = $0.01

Conversations API

Messages are automatically threaded into conversations. Use the conversations API for two-way messaging:

const convos = await sendly.conversations.list({ status: "active", limit: 20 });
const replies = await sendly.conversations.suggestReplies("conv_abc123");

Full reference

Files

1 total
Select a file
Select a file to preview.

Comments

Loading comments…