ClawHub

Mobayilo Voice (Beta)

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Mobayilo calling adapter with explicit live-call controls, but users should verify the external CLI installer and protect local status logs.

Install this only if you want OpenClaw workflows to use your Mobayilo account. Keep dry-run mode for testing, enable MOBY_REQUIRE_APPROVAL=1 for workflows that may place real calls, verify the moby installer or use a pinned trusted binary, and avoid running the verification script on shared hosts unless you protect or delete its /tmp output files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Rogue AgentSelf-Modification, Session Persistence
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
log_file.parent.mkdir(parents=True, exist_ok=True)
        out = log_file.open("a", encoding="utf-8")
        try:
            subprocess.Popen(
                [self.config.cli_path, "agent", "run"],
                env={**os.environ, **self._base_env()},
                stdout=out,
Confidence
92% confidence
Finding
subprocess.Popen( [self.config.cli_path, "agent", "run"], env={**os.environ, **self._base_env()}, stdout=out, stderr=subproc

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill invokes local Python scripts and declares runtime requirements that imply shell execution, environment access, file access, and likely network use, but it does not explicitly declare permissions for those capabilities. That creates a transparency and policy-enforcement gap: users or platforms may approve the skill without understanding that it can place outbound calls and access local/environmental resources. In this context, the capability mismatch is more dangerous because the skill is designed to trigger real-world actions over the network, including live phone calls when `--execute` is used.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The adapter includes local process enumeration, termination, and subprocess lifecycle management that exceed the minimally necessary scope for placing outbound calls. These capabilities can interfere with unrelated local processes and, combined with configurable executable paths, increase the blast radius from a telephony skill to host-level process control.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The comment states there is no pre-start or singleton enforcement by default, yet the class contains implemented singleton enforcement and agent auto-start routines. This mismatch is dangerous because operators and reviewers may underestimate the side effects and privileges exercised by the skill, leading to unsafe deployment assumptions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script collects the authenticated actor email and includes it in the returned summary, then logs that summary via telemetry with adapter.log_event. This can expose personally identifiable information in logs, monitoring systems, or shared terminal output without clear necessity or user warning, increasing privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The adapter automatically starts a local agent subprocess with inherited environment variables and no explicit user-facing confirmation. In a skill whose expected function is placing calls, silently spawning a background process broadens execution scope and can surprise users, especially if the configured CLI binary or environment has been tampered with.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script writes authentication status and account balance data to fixed, predictable paths under /tmp, which is a shared world-accessible namespace on many systems. Another local user or process could read, replace, or race these files, exposing sensitive account information or causing the script to display attacker-controlled output; the skill context makes this somewhat more concerning because it handles telephony account state that may reveal operational and billing details.

Self-Modification

High
Category
Rogue Agent
Content
2. Install/upgrade Mobayilo CLI:
   ```bash
   curl -fsSL https://mobycli.mobayilo.com/install.sh | sh
   moby self-update
   ```
   Fallback when release endpoint is unavailable:
   ```bash
Confidence
90% confidence
Finding
self-update

External Script Fetching

High
Category
Supply Chain
Content
1. Confirm host hardware (Mac mini) is online and Mobayilo desktop audio agent is running.
2. Install/upgrade Mobayilo CLI:
   ```bash
   curl -fsSL https://mobycli.mobayilo.com/install.sh | sh
   moby self-update
   ```
   Fallback when release endpoint is unavailable:
Confidence
98% confidence
Finding
curl -fsSL https://mobycli.mobayilo.com/install.sh | sh

Chaining Abuse

High
Category
Tool Misuse
Content
1. Confirm host hardware (Mac mini) is online and Mobayilo desktop audio agent is running.
2. Install/upgrade Mobayilo CLI:
   ```bash
   curl -fsSL https://mobycli.mobayilo.com/install.sh | sh
   moby self-update
   ```
   Fallback when release endpoint is unavailable:
Confidence
97% confidence
Finding
| sh

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal