ops-comms
Facilitates seamless communication across multiple channels like WhatsApp, email, and Slack, enhancing message management and routing.
Install this skill
Security score
The ops-comms skill was audited on May 29, 2026 and we found 17 security issues across 4 threat categories, including 6 high-severity. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 38 | 1. **Daemon health**: Read `${CLAUDE_PLUGIN_DATA_DIR:-$HOME/.claude/plugins/data/ops-ops-marketplace}/daemon-health.json` |
Template literal with variable interpolation in command context
| 42 | 2. **Ops memories**: Before drafting any message, check `${CLAUDE_PLUGIN_DATA_DIR}/memories/`: |
Template literal with variable interpolation in command context
| 47 | 3. **Preferences**: Read `${CLAUDE_PLUGIN_DATA_DIR}/preferences.json` for `default_channels` to determine which channel to prefer when multiple are available for a contact. |
Template literal with variable interpolation in command context
| 175 | `${CLAUDE_PLUGIN_ROOT}/bin/ops-discord read "<CHANNEL_ID>" --limit 20 --json` — requires `DISCORD_BOT_TOKEN` (or credential-store `discord/bot-token`). Fall back to `bin/ops-discord channels --json` i |
Template literal with variable interpolation in command context
| 206 | ```bash |
Template literal with variable interpolation in command context
| 233 | **Before presenting options**, read `${CLAUDE_PLUGIN_DATA_DIR}/preferences.json` and check which channels are configured. Only show configured channels. If <=4 total options (configured channels + "Se |
Curl to non-GitHub URL
| 183 | **Notion API fallback:** If MCP tools fail and `NOTION_API_KEY` is set, use `curl -s -H "Authorization: Bearer $NOTION_API_KEY" -H "Notion-Version: 2022-06-28" -X POST https://api.notion.com/v1/search |
Webhook reference - potential data exfiltration
| 207 | # By channel alias (resolves DISCORD_WEBHOOK_<UPPER> or DISCORD_WEBHOOK_URL) |
Webhook reference - potential data exfiltration
| 213 | # By full webhook URL (useful when the URL is stored per-project) |
Webhook reference - potential data exfiltration
| 214 | ${CLAUDE_PLUGIN_ROOT}/bin/ops-discord send "https://discord.com/api/webhooks/<ID>/<TOKEN>" "<message>" --json |
Webhook reference - potential data exfiltration
| 217 | If the script exits 1 with `{"error":"no discord credential configured — run /ops:setup discord"}`, prompt the user via `AskUserQuestion` (≤4 options per Rule 1): `[Run /ops:setup discord]` / `[Paste |
Webhook reference - potential data exfiltration
| 219 | Note: `DISCORD_WEBHOOK_URL` is shared with the ops-fires notification sink (`scripts/ops-notify.sh`). When pre-existing, prefer it as the default for `/ops:comms discord send` rather than asking the u |
Access to hidden dotfiles in home directory
| 40 | - Also check `~/.wacli/.health` — if not `status=connected`, surface auth issue before proceeding |
Access to hidden dotfiles in home directory
| 53 | **Health file** — check `~/.wacli/.health` BEFORE any wacli command: |
Access to hidden dotfiles in home directory
| 131 | **Pre-flight:** Before any wacli command, check `~/.wacli/.health`. If `status=needs_auth` or `status=needs_reauth`, prompt the user: "WhatsApp needs re-authentication. Run `wacli auth` in a separate |
External URL reference
| 183 | **Notion API fallback:** If MCP tools fail and `NOTION_API_KEY` is set, use `curl -s -H "Authorization: Bearer $NOTION_API_KEY" -H "Notion-Version: 2022-06-28" -X POST https://api.notion.com/v1/search |
External URL reference
| 214 | ${CLAUDE_PLUGIN_ROOT}/bin/ops-discord send "https://discord.com/api/webhooks/<ID>/<TOKEN>" "<message>" --json |