Back to skill
Skillv1.0.1
ClawScan security
Send SMS text and bulk messages via TelTel.io API · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:17 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, instructions, and requested API key are consistent with a TelTel SMS sender; it only contacts the TelTel API and does not request unrelated credentials or install arbitrary code.
- Guidance
- This skill appears to do exactly what it says: send SMS via TelTel. Before installing, verify you trust the skill owner and keep your TELTEL_API_KEY secret (it can send messages and incur charges). Use the --dry-run to preview payloads, test with a small controlled recipient list, and ensure any callback URL you provide is a trusted endpoint (TelTel will call it). Also confirm your runtime Node version supports global fetch or provide a compatible runtime; and monitor your TelTel account for unexpected usage/billing after enabling the skill.
Review Dimensions
- Purpose & Capability
- okName/description, declared primaryEnv (TELTEL_API_KEY), SKILL.md, and the two bundled Node scripts all align: they implement single and bulk SMS sends against api.teltel.io and require an API key and optional sender/base URL. No unrelated services or credentials are requested.
- Instruction Scope
- okSKILL.md explicitly instructs running the included Node scripts. The scripts only read TELTEL_API_KEY, TELTEL_SMS_FROM, TELTEL_BASE_URL and CLI args, and send POST requests to the TelTel endpoints. There are no instructions to read arbitrary local files, other env vars, or to transmit data to unexpected third-party endpoints. Callbacks are optionally allowed (expected for delivery reports).
- Install Mechanism
- okThere is no install spec (instruction-only with bundled scripts). No external downloads or package installs are performed by the skill itself, and the included source is plain, unobfuscated JavaScript.
- Credentials
- okThe skill's only required credential is TELTEL_API_KEY (declared as primary). Optional env vars (TELTEL_SMS_FROM, TELTEL_BASE_URL) are reasonable for this purpose. No unrelated secrets or multiple unrelated credentials are requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-wide privileges or modify other skills' configurations. It can be invoked by the agent (normal), but it does not elevate persistence or access beyond its scope.