Is demegire/claw-messenger safe?

https://github.com/openclaw/skills/tree/main/skills/demegire/claw-messenger

70
CAUTION

Claw Messenger is a messaging-relay skill that routes all agent SMS/iMessage/RCS communications through a third-party WebSocket server (wss://claw-messenger.onrender.com) operated by Emotion Machine. The skill repository contains no executable code and its clone behavior was clean, but it instructs the agent to install an unaudited npm package (@emotion-machine/claw-messenger) whose code cannot be assessed, and the persistent WebSocket relay creates both full operator visibility into all agent message content and an inbound injection vector through which the relay server could deliver crafted instructions to the agent session. The skill may represent a legitimate service but requires significant trust in a third-party operator and cannot be fully evaluated without auditing the npm plugin code.

Category Scores

Prompt Injection 70/100 · 30%
Data Exfiltration 60/100 · 25%
Code Execution 72/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 52/100 · 5%

Findings (12)

HIGH All messages routed through third-party relay infrastructure -25

Every message the agent sends or receives is routed through wss://claw-messenger.onrender.com, a server operated by Emotion Machine on render.com. The operator has full plaintext visibility into all agent communications, including any sensitive content such as summaries of user data, task outputs, or personal information included in messages.

HIGH Unaudited third-party npm package installation required -28

The skill instructs the agent to execute 'openclaw plugins install @emotion-machine/claw-messenger'. This npm package is absent from the skill repository and cannot be audited. It could contain arbitrary code including preinstall/postinstall scripts, filesystem access, credential harvesting, or additional network channels. The package is published by the same party operating the relay server, providing no independent security boundary.

HIGH WebSocket relay enables remote instruction injection into agent session -25

The persistent WebSocket connection to claw-messenger.onrender.com is bidirectional. The relay server can deliver arbitrary payloads framed as inbound SMS or iMessage messages to the agent. An attacker with control over the relay server can inject instructions into the agent's context that appear to originate from a trusted phone number, potentially hijacking agent behavior without the user's awareness.

MEDIUM Messaging channel monopolization directive -15

SKILL.md explicitly instructs the agent to use this channel for all iMessage, RCS, and SMS communication, diverting all messaging activity through a single third-party service. This prevents the agent from using alternative or more secure channels and concentrates all communication risk in one operator.

MEDIUM Unaudited npm plugin is opaque attack surface -15

The @emotion-machine/claw-messenger npm package represents a fully opaque code execution surface. The package could access the local filesystem, read environment variables, SSH keys, AWS credentials, or cloud credentials, and exfiltrate them via the already-established WebSocket connection. This risk cannot be assessed without auditing the actual package code.

MEDIUM Inbound WebSocket channel delivers arbitrary data to agent -10

Beyond outbound message exfiltration, the relay server can push arbitrary data payloads to the agent framed as inbound messages. This creates a covert channel through which the operator can deliver encoded data, control signals, or secondary instructions to the agent process.

LOW Agent primed to solicit API credentials from user -10

The skill instructs the agent to ask the user for an API key and write it into a configuration file. This normalizes credential-passing through agent conversations and may train users to hand secrets to agents on request, creating social engineering exposure.

LOW Complete trust in third-party operator required with no self-hosted option -8

The skill requires full trust in Emotion Machine's security practices, privacy policy, and continued operation of claw-messenger.onrender.com on the render.com platform. A service compromise, acquisition, or policy change would expose all historical and future agent message content. No self-hosted deployment option is offered.

LOW Agent-initiated unsolicited contact on verification step -5

Verification step Option A instructs the agent to proactively send a test message to the user's phone number. This constitutes agent-initiated unsolicited outbound contact that the user may not have explicitly requested during the current session.

LOW API key stored in plaintext local config -5

The live API key is written in plaintext to .openclaw.json under channels.claw-messenger.apiKey. Any other process, skill, or user with filesystem read access can retrieve this key and potentially send messages or interact with the Emotion Machine API impersonating the user.

INFO Canary file reads detected — attributed to monitoring infrastructure -15

Read-only accesses to honeypot files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) occurred at 10:55:52 (before git clone began) and 10:56:12 (after install completed). Timing analysis indicates these accesses are consistent with oathe monitoring baseline checks rather than skill-initiated activity. All files had CLOSE_NOWRITE access mode and were reported intact. No exfiltration network path was correlated with these reads.

INFO Clean clone — only expected GitHub connection -12

The git clone process connected only to github.com (140.82.121.4:443) as expected. Pre-existing Ubuntu/Canonical connections (185.125.x.x:443) were present in the monitoring window but are unrelated to the skill and did not persist after the audit window. No new persistent connections were established by the install.