← Back to Skills Marketplace

CMI CPaaS - SMS Sender

Name: CMI CPaaS - SMS Sender
Author: picccabo-art

by CMI CPaaS · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ⚠ suspicious

219

Downloads

Stars

Active Installs

Versions

Install in OpenClaw

/install sms-sender

Description

Send batch SMS messages to up to 100 domestic or international numbers via CloudSMS API with optional custom signature and content.

Usage Guidance

What to consider before installing or running this skill: - The code and instructions match the stated purpose: it sends SMS to the CloudSMS API and requires Channel ID + Auth Key. If you trust the provider, the design is reasonable. - The skill clears proxy environment variables inside the script, which will bypass any system or corporate proxy/monitoring. If you operate in a monitored environment or need outgoing traffic to go through an inspection proxy, do not run this script until that behavior is removed or explained. - Verify the CloudSMS endpoint (https://cpaas-sms.cmidict.com:1820/uips) and the provider's legitimacy before supplying credentials. The skill has no homepage and the source is unknown — prefer official provider docs. - Do not use production credentials initially: test with a throwaway or test account and a small number of recipient numbers. - The skill depends on Python requests but has no install instructions; ensure the runtime environment has that dependency or add an explicit install step. - Review the script yourself (or have an admin do so). Look for anything that would exfiltrate credentials or send data to unexpected hosts. The script currently only posts to the declared API but the proxy bypass increases risk surface. - If you proceed, consider running in an isolated environment or sandbox and monitor network traffic to confirm it only talks to the expected API. - If you require changes: remove or make proxy clearing optional, add explicit dependency installation guidance, and document the provider and TLS/certificate expectations.

Capability Analysis

Type: OpenClaw Skill Name: sms-sender Version: 1.0.0 The skill facilitates bulk SMS sending via a third-party API (cpaas-sms.cmidict.com). It is classified as suspicious due to a significant shell injection vulnerability; the SKILL.md instructions direct the AI agent to construct a shell command using unvalidated user input (message content, phone numbers), which could lead to Remote Code Execution (RCE) if the agent does not properly escape the strings. Additionally, the script send_bulk_sms.py explicitly clears system proxy environment variables, an unusual behavior that could be intended to bypass local network security monitoring.

Capability Assessment

✓ Purpose & Capability

Name, description, SKILL.md, and the included Python script consistently implement sending batch SMS via a CloudSMS API using a Channel ID and Auth Key. The API endpoint in the code matches the SKILL.md.

✓ Instruction Scope

Runtime instructions stay within the declared purpose: ask the user for Channel ID/Auth Key, extract numbers/content/signature, and call the provided script. The instructions do not request other files, secrets, or unrelated system data.

ℹ Install Mechanism

This is an instruction-only skill with an included Python script and no install spec. The SKILL.md and script mention the 'requests' dependency but provide no installation steps; running may fail if 'requests' is missing. No external downloads or package installs are performed by the skill itself.

⚠ Credentials

The script asks only for the expected Channel ID and Auth Key (proportional), but it unconditionally clears proxy environment variables (http_proxy/https_proxy/HTTP_PROXY/HTTPS_PROXY) at startup. That causes the script to bypass any system or corporate proxy/monitoring and is unexpected for an SMS-sender skill — this could be benign (ensure direct connection) or used to evade local network controls. No other unrelated credentials are requested.

✓ Persistence & Privilege

The skill does not request persistent installation, does not set always:true, and does not modify system or other skills' configs. It runs as a one-off script invoked by the agent.

How to Use

Make sure OpenClaw is installed (local or Docker)
Run the install command in chat: /install sms-sender
After installation, invoke the skill by name or use /sms-sender
Provide required inputs per the skill's parameter spec and get structured output

Version History

v1.0.0

- Major rewrite: the skill has been revamped for CloudSMS bulk messaging with new workflow and technical requirements. - Added Python script scripts/send_bulk_sms.py for sending SMS via CloudSMS API. - Removed obsolete shell script scripts/script.sh. - Updated documentation to detail CloudSMS account setup, required parameters, credential handling, and error troubleshooting. - Now supports sending to up to 100 phone numbers at once, optional signature, and custom message content. - Provided new usage examples, return formats, and practical notes for successful SMS delivery.

Metadata

Slug sms-sender

Version 1.0.0

License MIT-0

All-time Installs 0

Active Installs 0

Total Versions 1

Frequently Asked Questions

What is CMI CPaaS - SMS Sender?

Send batch SMS messages to up to 100 domestic or international numbers via CloudSMS API with optional custom signature and content. It is an AI Agent Skill for Claude Code / OpenClaw, with 219 downloads so far.

How do I install CMI CPaaS - SMS Sender?

Run "/install sms-sender" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is CMI CPaaS - SMS Sender free?

Yes, CMI CPaaS - SMS Sender is completely free, licensed under MIT-0. You can download, install and use it at no cost.

Which platforms does CMI CPaaS - SMS Sender support?

CMI CPaaS - SMS Sender is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created CMI CPaaS - SMS Sender?

It is built and maintained by CMI CPaaS (@picccabo-art); the current version is v1.0.0.

More Skills