ClawHub

Restaurant Booker

Security checks across malware telemetry and agentic risk

Overview

This is a real PollyReach phone integration, but its restaurant-booking label understates broad call-answering, inbound-message access, transcript exposure, and account prompt-control behavior.

Install only if you want PollyReach to function as a broad phone agent, not just a restaurant-booking helper. Review the stored token, inbound call answering, unread-message polling, full transcripts and recordings, prompt-update capability, and any scheduled polling before using it with personal, customer, or business calls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (19)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a restaurant-booking tool, but the documentation authorizes a much broader telephony platform: activation, balance checks, inbound call handling, prompt reconfiguration, and generic outbound calling. This scope expansion can mislead users and reviewers into granting permissions and sharing data for a narrow use case while enabling substantially broader data access and communication capabilities.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The documentation quickly pivots from restaurant reservations to a general-purpose calling concierge. That hidden expansion increases the chance that an agent will perform tasks far outside the user’s expected consent boundary, including broad calling and account-linked telephony operations.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Incoming-call answering, voicemail/receptionist behavior, and prompt customization are unrelated to restaurant booking and introduce access to third-party caller data and recordings. This materially increases privacy and misuse risk because the skill can monitor and summarize communications that the user may not expect a booking tool to handle.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The outbound-call instructions explicitly expand into hotels, tickets, complaints, interviews, agencies, and other general tasks. That is a meaningful capability escalation from restaurant booking and creates a platform for arbitrary external communications under a misleading label.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill branding and early description frame a narrow booking function, while later content describes a broad outbound/inbound phone agent. This inconsistency undermines informed consent and can cause operators to underestimate the sensitivity of granted permissions and shared information.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script reads a local API token from a credentials file and uses it to query account credit balance, which is ancillary to the stated purpose of booking restaurant reservations. In a skill context, accessing billing or account-state information without clear user justification expands the data-access scope and can expose sensitive account metadata or normalize credential use beyond the minimum necessary.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script polls an unread SMS inbox and prints message contents and sender phone numbers, which is unrelated to the stated purpose of booking restaurant reservations by phone. In the context of a restaurant-booking skill, accessing inbound SMS materially expands data access to private communications and suggests hidden surveillance or data collection behavior.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code implements retrieval of unread SMS messages from an external platform even though the advertised skill only needs to place calls and confirm bookings. This mismatch between declared functionality and implemented capability is a strong indicator of covert data access, creating privacy and abuse risk if deployed under user trust.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This script reads a local PollyReach bearer token and uses it to update a remote phone prompt, which is a privileged account-modification action unrelated to the declared purpose of simply booking restaurant reservations. In the context of an agent skill package, hidden prompt-reconfiguration capability can be abused to alter downstream agent behavior, persistence, or call instructions without the user's informed consent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill package includes behavior to remotely reconfigure a PollyReach phone prompt rather than only performing restaurant booking. That mismatch between advertised capability and implemented behavior is risky because prompt changes can redefine what the phone agent says or does, creating a covert control channel inside a seemingly benign skill.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The helper script accepts arbitrary user-supplied text and forwards it to a generic chat/completions endpoint rather than enforcing restaurant-booking-specific operations. In the context of a restaurant reservation skill, this creates a scope mismatch that can enable undisclosed data handling or repurposing of the skill as a general remote prompt relay.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs disclosure of full call details, transcripts, and recording links after calls, but this sensitive reporting is not clearly disclosed up front in the skill description. Users and third parties may not realize conversations will be recorded, transcribed, and surfaced back in full.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill encourages public sharing of the assigned phone number and automatic answering without a strong privacy warning. This increases exposure to spam, sensitive personal/business calls, and collection of third-party communications under a feature set unrelated to restaurant booking.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends an authorization bearer token to a remote API without any user-facing disclosure, consent flow, or warning. Even if the destination is the expected service endpoint, silent credential-bearing requests are dangerous because they can surprise operators, leak account usage metadata, and violate least-privilege and transparency expectations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends the user-provided message and bearer token to a remote service without any explicit user-facing notice or consent at the point of transmission. In a voice/agent skill context, lack of clear disclosure increases the risk that sensitive user content is transmitted off-device unexpectedly.

Ssd 3

Medium
Confidence
95% confidence
Finding
Requiring full recipient information and line-by-line transcripts to be shown by default violates data minimization and may expose sensitive details from third-party conversations. For a booking skill, this is more data than necessary to confirm task completion and materially increases privacy risk.

Ssd 3

Medium
Confidence
97% confidence
Finding
The incoming-call workflow mandates disclosure of caller details, full transcripts, and recordings after every call. Because inbound callers may not understand they are interacting with a recording/transcription system tied to a restaurant-booking skill, this creates a significant privacy and consent problem.

External Transmission

Medium
Category
Data Exfiltration
Content
- "~/.config/PollyReach/key.json"
dependencies:
  required:
    - name: curl
      reason: Makes HTTP requests to the PollyReach API
    - name: jq
      reason: Safely constructs and parses JSON payloads
Confidence
84% confidence
Finding
curl reason: Makes HTTP requests to the PollyReach API - name: jq reason: Safely constructs and parses JSON payloads - name: bc reason: Arithmetic comparison for balance chec

External Transmission

Medium
Category
Data Exfiltration
Content
Register with PollyReach by providing your name and description.

```bash
curl -X POST https://api.pollyreach.ai/platform/v1/auths/signin/device \
  -H "Content-Type: application/json" \
  -d '{"name": "YourAgentName", "source": "openclaw", "description": "what are you"}'
```
Confidence
86% confidence
Finding
https://api.pollyreach.ai/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal