ClawHub

Shadow Number

Security checks across malware telemetry and agentic risk

Overview

This skill appears to broker disposable phone verification with automatic crypto payments, which creates financial and account-security risk that needs careful review.

Install only if you are comfortable giving the agent access to a limited-use wallet key and using a third-party disposable phone provider. Use a dedicated wallet with minimal funds, require manual approval before each payment and OTP entry, and avoid using it for account creation or verification flows that you do not own or have explicit permission to test.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The invocation guidance is overly broad: it tells the agent to use the skill for any website signup or phone verification needing a disposable number, without limiting use to legitimate, authorized scenarios. In context, this increases the chance the skill is invoked for account creation, policy evasion, or abuse across many third-party services.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill instructs the agent to automatically pay cryptocurrency and to submit phone numbers and OTPs to external services, but does not require explicit informed consent about costs, privacy exposure, or account-security implications. Because OTPs are authentication secrets and payments are triggered automatically, this can cause unauthorized spending, leakage of sensitive verification data, and creation of accounts tied to third-party disposable numbers.

Ssd 4

High
Confidence
99% confidence
Finding
This skill provides operational instructions for obtaining disposable phone numbers, receiving OTP codes, and completing website signups without using the user's real phone number. In context, that is dangerous because it directly enables identity obfuscation, abuse of SMS verification flows, and scalable creation of accounts on third-party platforms using intercepted authentication codes from a disposable-number provider.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal