CloudSMS 群发短信 Security Report — Low Risk | ClawSafe

15 /100

CloudSMS 群发短信

发送批量短信到多个手机号码，支持国内外号码

Legitimate bulk SMS sending skill that makes HTTP requests to a declared API endpoint with no malicious behavior detected.

Skill NameCloudSMS 群发短信

Duration30.6s

Enginepi

✓

Safe to install

The skill is safe to use. Consider adding explicit permission declarations (network:READ) in SKILL.md for better transparency.

Findings 1 items

Severity	Finding	Location
Low	Missing permission declarations Doc Mismatch SKILL.md mentions the API endpoint but does not explicitly declare network:READ permission in the capability model `API 地址：https://cpaas-sms.cmidict.com:1820/uips` → Add explicit permission declarations following the capability model format	`SKILL.md:74`

Resource	Declared	Inferred	Status	Evidence
Network	`NONE`	`READ`	✓ Aligned	scripts/send_bulk_sms.py:35 - requests.post(API_URL, json=payload)
Shell	`NONE`	`NONE`	—	No subprocess or shell execution found
Filesystem	`NONE`	`NONE`	—	No file read/write operations

1 findings

🔗

Medium External URL 外部 URL

https://cpaas-sms.cmidict.com:1820/uips

SKILL.md:74

2 files · 5.9 KB · 216 lines

Python 1f · 115L Markdown 1f · 101L

├─ ▾ 📁 scripts

│ └─ 🐍 send_bulk_sms.py Python 115L · 3.2 KB

└─ 📝 SKILL.md Markdown 101L · 2.7 KB

Package	Version	Source	Known Vulns	Notes
`requests`	`*`	pip	No	Version not pinned; requests is a widely-used legitimate library

✓ Clean, readable code with no obfuscation

✓ API endpoint is declared in SKILL.md

✓ Uses standard requests library for HTTP communication

✓ No credential harvesting beyond API keys required for the feature

✓ No data exfiltration beyond what is necessary for SMS sending

✓ Proper error handling with informative messages

✓ No subprocess, eval, or base64 encoding/decoding

✓ Dependencies are well-established (requests library)