Back to skill

Security audit

phone calling

Security checks across malware telemetry and agentic risk

Overview

This is a real phone-calling skill, but it gives an agent paid, real-world calling and sensitive call-data capabilities with broader and less clearly controlled behavior than the simple description suggests.

Install only if you are comfortable letting an agent use a paid external phone-calling account. Require explicit approval for each destination number, direct versus bridge mode, expected cost, maximum duration, DTMF entry, and any transcription. Avoid batch campaigns, sales outreach, transcript analytics, and webhook forwarding unless you have verified consent, legal compliance, spending limits, and Ringez data-retention controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Bulk outreach, queuing, scheduling, and 'emergency notifications' significantly increase abuse potential for robocalling, harassment, spam, or mass unsolicited contact. In the context of a skill advertised as simple phone calling, these undisclosed high-scale automation features lower friction for harmful use and bypass user expectations about impact.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The overview states calls can be made 'without requiring authentication,' while the authentication section later requires bearer tokens. This contradiction is dangerous because it can mislead integrators into treating the API as open or low-trust, causing insecure deployment decisions, accidental exposure of calling capability, or incorrect assumptions about who may invoke paid and privacy-sensitive actions.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The guide expands a simple phone-calling skill into broader surveillance and decisioning capabilities such as transcription, sentiment analysis, routing, and analytics. In a telephony skill, these extra capabilities increase privacy, consent, and abuse risk because an integrating agent could process call content and make consequential call-handling decisions beyond the user’s likely expectation.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The outbound campaign example enables autonomous bulk calling, TTS playback, DTMF collection, and hangup flows, which materially increase abuse potential compared with a basic calling skill. In context, this can facilitate spam, robocalling, fraud workflows, and unexpected financial charges if adopted by an agent without strong policy controls.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The queue manager processes customer tier, pending issues, language, and skill-based routing data that go beyond minimal phone placement. This broadens data collection and profiling in a way not justified by the stated purpose, creating privacy and fairness risks and enabling hidden business-logic decisions based on user attributes.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The documented capability set materially exceeds the declared purpose of a simple phone-calling skill by including transcription, intent/sentiment analysis, routing, and voice features. This scope expansion increases the attack and privacy surface because users or integrators may grant access expecting only call placement, while the skill also enables call-content capture and behavioral analysis.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The sales outreach automation and customer-analysis examples go beyond ordinary call placement and enable mass outbound engagement plus transcript-based lead qualification. In the context of an AI agent skill, this creates elevated abuse potential for spam, unauthorized profiling, and non-consensual commercial outreach.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill enables paid outbound telephony through a third-party service but does not present a clear, explicit warning or consent checkpoint before initiating billable calls or transmitting phone numbers and related call metadata to Ringez/Twilio. This can lead users to unknowingly incur charges or disclose sensitive communication data to external providers, especially when an agent acts on terse commands like 'call my mom in India.'

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The direct mode feature allows autonomous outbound calls without the user's phone ringing, but the documentation does not clearly warn about the privacy, consent, and abuse implications of AI-initiated calling. In practice, this lowers friction for silent third-party contact, which can facilitate unwanted calls, disclosure of user information, or regulatory/compliance issues around recording, impersonation, and automated outreach.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill exposes a call-initiation action that can immediately place external phone calls and consume paid minutes, but the API specification does not require any explicit user confirmation, billing warning, or preflight disclosure before the side-effecting action executes. In an agent setting, this creates a meaningful risk of unintended real-world charges, accidental calls to third parties, and abuse through prompt confusion or automation mistakes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The spec promotes autonomous calling, privacy-sensitive contact handling, and transcript-related processing without prominent warnings about consent, call recording laws, data retention, and third-party disclosure. In a calling skill, that omission is more dangerous because users may not realize the system can place calls, store contacts, and process conversation content on their behalf.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The transcription and transcript retrieval features process highly sensitive conversation content but do not state consent requirements, legal constraints, retention periods, or access controls. This is particularly risky in telephony, where recording and transcription may be regulated and can expose personal, financial, or confidential information if enabled casually.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The examples show session creation and call initiation against production-style APIs without a prominent warning that they can place real phone calls and consume paid credits. In a phone-calling skill, omission of this warning makes accidental external actions and unexpected billing more likely, especially for users copying sample code verbatim.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide introduces transcription and analytics features without a clear privacy notice about recording/processing call audio and transcript content. In this skill context, that omission is more dangerous because call content may include sensitive personal or financial information, and downstream AI analysis further expands exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide shows how to enable real-time transcription and transcript analysis but does not prominently require notice and consent from call participants before capturing and processing call content. In a calling skill, this is especially sensitive because it can expose private conversations, regulated data, and biometric-like voice information depending on jurisdiction.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The outbound calling and transfer examples make it easy to automate calls to real phone numbers without explicit guardrails around consent, allowed use, destination validation, or legal compliance. In practice, these examples could be repurposed for spam, harassment, or unauthorized contact campaigns, making the omission of safeguards security-relevant rather than merely documentation quality.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.