Verifies phone numbers via SMS OTP using the Sendly Verify API. Sends codes, checks codes, handles expiry, and provides hosted verification sessions. Applies...
Security Analysis
medium confidenceThe skill's instructions clearly use an API key (SENDLY_API_KEY) to call the Sendly Verify service, but the skill metadata declares no required credentials or configuration — this mismatch and the unknown source/homepage warrant caution.
The name and description (SMS OTP via Sendly) match the SKILL.md examples: send, check, resend, and hosted sessions are all documented. The claimed capability is internally consistent with the API calls shown.
The runtime instructions repeatedly reference an environment variable (SENDLY_API_KEY) and show curl/SDK calls that require that secret, but the skill's metadata lists no required env vars or primary credential. The instructions do not attempt to read unrelated system files, but they do rely on a credential that is not declared in the registry metadata.
This is an instruction-only skill with no install spec and no code files, which minimizes install-time risk.
The skill needs an API key to function (SENDLY_API_KEY is used throughout), which is proportionate to the task. However, the registry metadata declares no required credentials or primaryEnv, so the skill's declared environment requirements are incomplete/mismatched. That omission increases risk because a user may not realize they must provide a secret.
The skill is not marked always:true, does not request persistent system-wide changes, and does not declare access to other skills' configs.
Guidance
This skill appears to be a straightforward wrapper for the Sendly Verify API, but the SKILL.md expects you to provide SENDLY_API_KEY while the skill metadata lists no required env vars. Before installing: 1) Treat this as needing your Sendly API key—only provide a key to this skill if you trust the publisher. 2) Prefer using a test/sandbox key (sk_test_*) initially. 3) Ask the publisher to update the registry metadata to declare SENDLY_API_KEY as a required credential and to provide a homepage or source repository so you can verify the code/author. 4) Verify the API domain (sendly.live) and documentation links independently. 5) If you integrate hosted sessions, ensure your server validates redirect tokens server-side as the doc suggests. If the publisher can't explain the missing metadata or provide a repo/homepage, treat the skill as higher risk and avoid giving it production credentials.
Latest Release
v1.0.0
Initial release of verifying-phones skill. - Verifies phone numbers via SMS OTP using the Sendly Verify API. - Supports sending and checking OTP codes, handling expiry, resending, and limiting attempts. - Provides hosted verification sessions with redirect and token validation. - Includes Node.js SDK and REST API examples. - Offers sandbox mode for testing without sending real SMS. - Detailed error handling and documentation links included.
Popular Skills
Published by @sendly-live on ClawHub
