ClawHub

phone calling

Security checks across malware telemetry and agentic risk

Overview

This is a real phone-calling skill, but it gives agents paid calling and sensitive call-data capabilities with inconsistent scope and weak consent guidance.

Install only if you are comfortable giving an agent access to a paid external phone-calling account. Require explicit approval for each destination number, direct or bridge mode, expected cost, max duration, DTMF digits, and any transcription. Avoid batch campaigns, sales outreach, transcript analytics, and webhook forwarding unless you have verified consent, legal compliance, SDK provenance, and Ringez data-retention controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (19)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The manifest description says users can 'Pay with PayPal or UPI,' but the body of the skill later states the skill cannot add credits and instead redirects users to an external wallet page. This mismatch can mislead users and higher-level agents into believing payment occurs in-skill, increasing the risk of unsafe payment flows, user confusion, and trust abuse around billing-related actions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The top-level description overstates functionality by implying direct payment support that is not implemented in the documented API. In agent ecosystems, misleading capability descriptions can cause automated systems or users to attempt sensitive financial actions under false assumptions, which is a security-relevant integrity issue even if no payment endpoint exists.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is advertised as a phone-calling capability, but the spec exposes substantially broader features including intent detection, sentiment analysis, voice synthesis, analytics, and batch/scheduled automation. This scope expansion increases the attack surface and can mislead integrators and users about what data is processed and what autonomous actions the skill may perform.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The documented API includes contact storage, call history, and reporting features that go beyond simple call placement. In a skill presented as only making phone calls, this creates a transparency and overcollection risk because users may not expect persistent storage of address-book data and historical call metadata.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The overview claims agents can make calls 'without requiring authentication,' but the authentication section requires bearer API keys. Contradictory security documentation is dangerous because implementers may build or expose unauthenticated calling flows, assume weaker controls are acceptable, or mishandle trust boundaries around high-risk telephony actions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documented capabilities substantially exceed the manifest’s narrow description of making international phone calls and payment handling. This scope mismatch is dangerous because integrators and downstream reviewers may authorize a seemingly simple calling skill while unknowingly enabling transcription, sentiment analysis, routing, and other higher-risk data processing features.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The outbound campaign automation pattern enables batch calling, message playback, DTMF collection, transcription, and automatic hangup at scale, which materially increases abuse potential for robocalling, spam, and consent violations. In the context of a skill advertised as ordinary phone calling, this hidden bulk automation capability makes misuse easier and detection less likely.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The customer-support automation example expands the skill from simple calling into real-time transcript analysis, intent detection, and AI-driven escalation. While plausibly legitimate, it increases privacy and decision-making risk by processing live call content and taking automated actions beyond what the manifest suggests.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The analytics and report-generation sections introduce collection, aggregation, and visualization of call metadata beyond basic call placement. This broader data-processing surface can expose sensitive operational and behavioral information if enabled without clear disclosure, retention limits, and access controls.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documented capability set materially exceeds the stated skill purpose of simple phone calling and payment. It includes transcription, intent/sentiment analysis, routing, callbacks, and webhook handling, which expands data collection and autonomous behavior beyond what a user would reasonably expect and can enable covert surveillance or decision-making.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
These examples introduce conversation intelligence and automated actions such as sentiment-based escalation, intent detection, and call transfer that go beyond a basic calling skill. In a phone-calling context, this is risky because it can process sensitive call content and trigger consequential actions without clear user authorization or policy controls.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The use cases expand the skill into outreach automation, reminders, synthesized voice playback, DTMF collection, and batch calling, which materially broadens operational scope and abuse potential. In particular, sales outreach and appointment workflows can facilitate robocalling, social engineering, or unauthorized contact campaigns if deployed without stricter safeguards.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill promotes phone calling as 'privacy-focused' but does not clearly warn that call metadata, audio, dialed numbers, and DTMF tones may be transmitted to telecom providers and external recipients. Because DTMF may contain PINs or account numbers, omission of this warning can lead users or agents to expose sensitive personal or financial information during calls.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The examples explicitly encourage AI agents to use direct mode to place outbound calls where the user's phone does not ring, without a strong consent warning or confirmation requirement. That makes autonomous external communication easier to trigger silently, creating risk of unauthorized calls, social engineering, disclosure of user information to third parties, and financial charges.

Vague Triggers

Medium
Confidence
98% confidence
Finding
The /auth/check-email endpoint explicitly reveals whether an email is registered by returning 'new_user' or 'existing_user'. That enables account enumeration, which attackers can use to identify valid users for credential stuffing, phishing, targeted OTP abuse, or privacy-invasive probing of service membership.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The spec promotes autonomous calling, privacy mode, transcription, and contact handling but does not clearly warn about consent, lawful interception/recording restrictions, or sensitive-data implications. In a telephony context, missing consent and privacy guidance can lead directly to unlawful or abusive use, especially for autonomous outbound calls and recorded conversations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The transcription endpoints describe creation and retrieval of conversation transcripts, including downloadable transcript URLs, without explicit safeguards for sensitive content, retention, or access control expectations. Call transcripts can contain financial, health, account, or authentication data, so under-specified protections materially increase privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The outbound campaign example normalizes automated calling, transcription, DTMF collection, and auto-hangup without any visible warning about consent, legal restrictions, or recipient expectations. This omission is dangerous because developers may implement mass-calling behavior without safeguards against unlawful robocalling or covert recording/transcription.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide prominently advertises real-time transcription and intent/sentiment analysis but does not give an explicit privacy and consent warning to end users or implement region-dependent consent checks. Recording and analyzing live calls can violate wiretapping, telecom, employment, health, or privacy laws and expose highly sensitive personal data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal