📦 RCS Message — 5G智能短信群发
v1.0.5RCS Message 是升级版的 5G 智能短信,可直接通过手机号批量发送和转发文本及模板消息,无需下载 App,即可实现富媒体、卡片、按钮等高级短信体验,适合营销、通知、客服等多场景触达。
0· 251·0 当前·0 累计
by @longbiao515下载技能包
最后更新
2026/4/21
安全扫描
OpenClaw
可疑
medium confidenceNULL
评估建议
This skill appears to implement an RCS/SMS sender, but you should be cautious before installing or running it: (1) The package and docs are inconsistent — verify the correct API hostname and that '5g.fontdo.com' is the legitimate provider you expect. (2) The scripts will ask for your APP_ID/APP_SECRET and save them in plaintext under your home directory (several different paths are used). If you must use it, prefer setting environment variables temporarily, inspect the code yourself, and run the...详细分析 ▾
ℹ 用途与能力
The code implements an RCS/SMS group-sending client and requires APP_ID/APP_SECRET to call https://5g.fontdo.com — which is coherent with the stated purpose. However, the registry metadata claims no required env vars while SKILL.md and all code clearly need credentials; example configs and usage docs reference different server hosts (api.5g-messaging.com, FIVE_G_SERVER_ROOT) producing internal inconsistencies.
⚠ 指令范围
Runtime instructions and code prompt for credentials, set environment variables, and write/read session credential files under the user's home directory. The skill will ask for APP_ID/APP_SECRET interactively and persist them. While network calls are limited to the declared API endpoint, the instructions/code access and persist user secrets and several filesystem locations (multiple different paths are used in different modules), which expands the scope beyond a transient send action.
✓ 安装机制
No install spec / external downloads are present; this is instruction + local Python code that runs on the host. Nothing in the manifest attempts to fetch or execute remote archives at install time.
⚠ 凭证需求
The skill legitimately needs an APP_ID and APP_SECRET to call the provider API, but it stores those secrets unencrypted in multiple locations under the user's home directory (~/.5g_messaging/credentials.json, ~/.config/moltbot/5g_messaging, ~/.config/moltbot/rcs-message/<session>.json). The registry metadata omitted required env vars (discrepancy). There are no unrelated third-party credentials requested, but persistent plaintext storage of secrets is a privacy/security risk.
ℹ 持久化与权限
The skill creates persistent files and directories in the user's home (both ~/.5g_messaging and ~/.config/moltbot/...), and stores credentials there. It does not request elevated system privileges or mark itself always:true, but persistent unencrypted credential storage and multiple differing storage locations are concerning and increase blast radius if the host is compromised.
安全有层次,运行前请审查代码。
运行时依赖
无特殊依赖
版本
latestv1.0.52026/3/15
NULL
● 无害
安装命令
点击复制官方npx clawhub@latest install rcs-message
镜像加速npx clawhub@latest install rcs-message --registry https://cn.longxiaskill.com