ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

CMI CPaaS - SMS Sender

Send batch SMS messages to up to 100 domestic or international numbers via CloudSMS API with optional custom signature and content.

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 78 · 0 current installs · 0 all-time installs
byCMI CPaaS@picccabo-art
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name, description, SKILL.md, and the included Python script consistently implement sending batch SMS via a CloudSMS API using a Channel ID and Auth Key. The API endpoint in the code matches the SKILL.md.
Instruction Scope
Runtime instructions stay within the declared purpose: ask the user for Channel ID/Auth Key, extract numbers/content/signature, and call the provided script. The instructions do not request other files, secrets, or unrelated system data.
Install Mechanism
This is an instruction-only skill with an included Python script and no install spec. The SKILL.md and script mention the 'requests' dependency but provide no installation steps; running may fail if 'requests' is missing. No external downloads or package installs are performed by the skill itself.
!
Credentials
The script asks only for the expected Channel ID and Auth Key (proportional), but it unconditionally clears proxy environment variables (http_proxy/https_proxy/HTTP_PROXY/HTTPS_PROXY) at startup. That causes the script to bypass any system or corporate proxy/monitoring and is unexpected for an SMS-sender skill — this could be benign (ensure direct connection) or used to evade local network controls. No other unrelated credentials are requested.
Persistence & Privilege
The skill does not request persistent installation, does not set always:true, and does not modify system or other skills' configs. It runs as a one-off script invoked by the agent.
What to consider before installing
What to consider before installing or running this skill: - The code and instructions match the stated purpose: it sends SMS to the CloudSMS API and requires Channel ID + Auth Key. If you trust the provider, the design is reasonable. - The skill clears proxy environment variables inside the script, which will bypass any system or corporate proxy/monitoring. If you operate in a monitored environment or need outgoing traffic to go through an inspection proxy, do not run this script until that behavior is removed or explained. - Verify the CloudSMS endpoint (https://cpaas-sms.cmidict.com:1820/uips) and the provider's legitimacy before supplying credentials. The skill has no homepage and the source is unknown — prefer official provider docs. - Do not use production credentials initially: test with a throwaway or test account and a small number of recipient numbers. - The skill depends on Python requests but has no install instructions; ensure the runtime environment has that dependency or add an explicit install step. - Review the script yourself (or have an admin do so). Look for anything that would exfiltrate credentials or send data to unexpected hosts. The script currently only posts to the declared API but the proxy bypass increases risk surface. - If you proceed, consider running in an isolated environment or sandbox and monitor network traffic to confirm it only talks to the expected API. - If you require changes: remove or make proxy clearing optional, add explicit dependency installation guidance, and document the provider and TLS/certificate expectations.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.0
Download zip
latestvk979re3xdfvxbf126fc7dmwp0h835fhd

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

SKILL.md

CloudSMS 群发短信

发送批量短信到多个手机号码,支持国内外号码。

功能说明

通过 CloudSMS 平台 API 发送群发短信,支持:

  • 单个或多个手机号码(最多100个)
  • 自定义短信内容
  • 可选的短信签名

使用前提

需要 CloudSMS 平台的 Channel ID 和 Auth Key。如果没有,请联系平台管理员获取。

凭证信息

使用时需要提供以下凭证:

  • Channel ID: CloudSMS 平台分配的租户标识(Account ID)
  • Auth Key: 对应的认证密钥

参数说明

  • mobile: 手机号码,多个号码用英文逗号分隔,需要包含国家码

    • 格式示例:+8613800138000+8613800138000,+8613900139000
    • 单次最多支持 100 个号码

  • content: 短信内容

    • 最多 500 字(包含签名)
    • 不能包含敏感词

  • signature: 短信签名(选填)

    • 格式:公司名或品牌名(不需要加【】符号)
    • 签名必须提前在平台报备,否则会发送失败
    • 签名会自动添加到短信内容开头

使用示例

示例 1:发送单条短信

给 +8613800138000 发送短信:您的验证码是 123456,5分钟内有效

示例 2:群发短信

群发短信给 +8613800138000,+8613900139000,内容:会议将于明天上午10点在3楼会议室召开

示例 3:带签名的短信

用签名"某某科技"给 +8615622201234 发送:您的订单已发货,请注意查收

返回结果

成功时返回:

  • 发送状态:OK
  • 短信 UID(用于追踪)
  • 每个号码的发送详情

失败时返回:

  • 错误描述
  • 操作建议(如需要报备签名、充值等)

常见问题

  1. 认证失败:如果提示认证错误,请联系平台管理员确认 Channel ID 和 Auth Key
  2. 签名未报备:如果提示签名问题,请联系平台管理员报备签名
  3. 余额不足:请联系平台管理员充值

技术信息

使用方式

当用户请求发送短信时:

  1. 询问并获取 CloudSMS 的 Channel ID 和 Auth Key
  2. 从用户的自然语言中提取:
    • 手机号码(支持多个,逗号分隔)
    • 短信内容
    • 签名(如果提到)
  3. 调用脚本: 
    python3 scripts/send_bulk_sms.py "<channel_id>" "<auth_key>" "<mobile>" "<content>" ["<signature>"]
  4. 解析返回结果并以友好的方式告知用户

注意事项

  • 手机号必须包含国家码(如 +86)
  • 单次最多发送 100 个号码
  • 短信内容不能超过 500 字
  • 签名需要提前报备
  • 签名会自动添加【】符号并拼接在内容开头

Files

2 total
Select a file
Select a file to preview.

Comments

Loading comments…