Is dclauzel/freemobile-sms safe?

https://github.com/openclaw/skills/tree/main/skills/dclauzel/freemobile-sms

87
SAFE

freemobile-sms is a straightforward, well-written skill for sending SMS notifications via the Free Mobile API to the account owner's own registered phone number. The Python script is clean with no dynamic code execution, hidden logic, or prompt injection attempts, and the clone process produced no unexpected behavior. The primary concerns are minor: API credentials are transmitted as GET parameters (documented upstream API design), the Bash(python3:*) permission is broader than strictly required, and message content is agent-controlled with no guardrails — meaning a misconfigured or manipulated agent could include sensitive data in the SMS body.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 91/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 75/100 · 5%

Findings (5)

LOW API credentials transmitted via HTTP GET query parameters -10

The Free Mobile SMS API requires credentials (user login and API key) as URL query parameters in a GET request. This is the documented upstream API design, not malicious behavior by the skill author. However, GET query parameters appear in web server access logs, proxy logs, and browser history, meaning the FREEMOBILE_SMS_API_KEY could be logged at Free Mobile's infrastructure.

LOW Bash(python3:*) permission is broader than the bundled script -18

The allowed-tools declaration grants the agent permission to invoke any Python 3 command via Bash, not just scripts/FreeMobile_sms.py. An agent operating under a compromised or jailbroken context could use this permission to execute arbitrary Python code beyond what the skill intends.

LOW SMS message content is agent-controlled and transmitted externally -25

The --message argument is constructed by the agent at runtime. If the agent includes sensitive data (API keys, file contents, user information) in the SMS message, that data is transmitted to Free Mobile's API servers and delivered to the subscriber's phone. The skill provides no guardrails on message content.

INFO Clean sparse clone from monorepo — no unexpected behavior 0

Installation cloned the openclaw/skills monorepo with sparse-checkout targeting only the freemobile-sms subpath. All network activity was consistent with a standard GitHub clone. No unexpected processes, background daemons, or filesystem writes outside the target directory were observed.

INFO Canary file accesses attributed to audit framework, not skill code 0

Canary files (.env, id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were accessed at audit event timestamps 256-261 and 1439-1444. These correspond to the monitoring infrastructure's setup phase (before clone) and post-install verification phase. The Python script was never executed during the audit. All canary files confirmed intact.