Sends SMS messages via the Sendly API with the Node.js SDK or REST API. Handles single messages, batch sends, scheduling, conversations, and sandbox testing....
Security Analysis
high confidenceThe instructions clearly require an API key and recommend installing an SDK and calling sendly.live endpoints, but the skill's manifest declares no credentials, binaries, or install steps — that mismatch and the unknown source make the package suspicious.
The SKILL.md describes sending SMS via Sendly and shows code using process.env.SENDLY_API_KEY and npm installation of @sendly/node, but the registry metadata lists no required environment variables, no primary credential, and no required binaries. Requiring an API key and an SDK is expected for this purpose, but the manifest fails to declare them.
The runtime instructions stay on-topic (curl examples, SDK usage, scheduling, batch sends, sandbox numbers, and API docs). They instruct the agent to read SENDLY_API_KEY from environment, which is appropriate for operation but is not declared in the skill metadata — this gap is the main scope concern. The instructions do not ask for unrelated system files or credentials.
This is an instruction-only skill with no install spec or code files, which is low-risk in itself. The SKILL.md recommends using the @sendly/node npm package, which is reasonable, but the skill does not declare that dependency or provide an install step in its metadata.
The instructions require an API key stored in SENDLY_API_KEY (sk_test_* or sk_live_*), but the skill metadata declares no required env vars or primary credential. A credential is required for the described functionality; the omission is disproportionate and unexpected. Also note that live keys could incur costs and send real SMS if used.
The skill does not request always:true or elevated persistence and is user-invocable only. Autonomous invocation is allowed (platform default), which combined with an undeclared API key would let the agent send messages using whatever SENDLY_API_KEY is present — this is a caution but not a metadata privilege misconfiguration.
Guidance
Key issues: the SKILL.md requires SENDLY_API_KEY and shows npm SDK usage, but the skill manifest does not declare those requirements and the source/homepage are unknown. Before installing: (1) Do not put a live Sendly API key into an agent unless you trust the skill — use a sandbox/test key (sk_test_*) for evaluation. (2) Verify the Sendly domain and the @sendly/node package exist and are legitimate (check npm and the sendly.live docs/openapi links). (3) Ask the publisher to update the metadata to declare SENDLY_API_KEY and required tooling (Node/npm) or decline installation. (4) Remember an API key in the environment could be used autonomously by the agent to send messages (and incur costs); restrict scope/permissions and rotate keys if you test with a real key.
Latest Release
v1.0.0
- Initial release of the sending-sms skill. - Send SMS messages using the Sendly API via Node.js SDK or REST API. - Supports single messages, batch sending (up to 10,000 recipients), message scheduling, and SMS conversations. - Includes sandbox testing with test API keys and magic phone numbers. - Handles both transactional and marketing message types, with compliance notes. - Full documentation and API references linked.
Popular Skills
Published by @sendly-live on ClawHub
