ClawHub

Amber — Phone-Capable Voice Agent

Security checks across malware telemetry and agentic risk

Overview

Amber’s phone features are mostly disclosed, but it needs review because it automatically stores and reuses callers’ personal details without a built-in consent or retention gate.

Install only if you are prepared to operate Amber as a sensitive communications system: disclose AI handling and logging to callers, configure a lawful consent/notice policy, review and delete CRM records regularly, restrict access to logs/transcripts/contact caches, and verify calendar writes through the MCP path before using it for production scheduling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (45)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill markets itself as providing phone-call capabilities, but the prompt also implements persistent CRM profiling and cross-call memory of callers. That materially expands the data processing scope beyond what a caller would reasonably expect from a simple phone assistant, increasing privacy, consent, and retention risk.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The instructions explicitly direct the assistant to silently save volunteered personal details without informing the caller or requesting permission. In a voice-channel context, this can lead to covert collection of names, email addresses, companies, and other personal data, creating legal and privacy exposure.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The calendar skill explicitly allows `action: create` while declaring `confirmation_required: false`, which conflicts with the architecture's own safer default for side-effecting actions. This enables the model to create calendar entries without an enforced user-confirmation gate, causing unauthorized or mistaken modifications to operator data during a call.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The handler implements calendar lookup and event creation even though the skill metadata describes a phone/call-focused capability. This is a real scope-drift issue because it grants access to a separate sensitive domain—calendar availability and modification—which can expose scheduling patterns and allow unauthorized event creation if a user or reviewer relies on the narrower manifest description.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The design claims there is 'no network exposure' and that the CRM is 'local-only', but later sections explicitly describe optional external CRM synchronization and read-only HTTP API endpoints for a dashboard. This kind of contradictory security documentation is dangerous because operators may deploy the skill under a false assumption that PII never leaves the host, leading to misconfiguration, missing consent, or inadequate hardening of exposed interfaces.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The skill’s privacy section says internal CRM context should not be disclosed, yet the operating instructions explicitly tell the agent to use stored personal details to personalize live calls. That creates a real confidentiality risk: if notes are inaccurate, unexpectedly sensitive, or overheard by others, the agent may reveal private information back to the caller or to unintended listeners without fresh consent.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The file explicitly says validation is disabled and no real APIs are called, yet the wizard prints success messages such as 'credentials valid', 'ngrok detected', and 'Active ngrok tunnel found' without performing those checks. This is a deceptive setup flow that can mislead operators into trusting invalid credentials, assuming external exposure exists, or deploying a broken configuration.

Context-Inappropriate Capability

High
Confidence
84% confidence
Finding
The runtime automatically extracts and persists personal context from every call for future use, including health issues, preferences, and life events, without any visible consent gate or purpose limitation in this path. In a phone-assistant context, that creates a meaningful privacy and profiling risk because highly sensitive caller data is systematically converted into durable CRM memory and can be reused later.

Missing User Warnings

High
Confidence
98% confidence
Finding
The CRM workflow requires background lookup, logging, and retention of caller data with no user-facing warning. Because the assistant is operating over phone calls and is instructed to act invisibly, callers may never realize their interactions are being profiled and stored, which makes the privacy risk more serious in this context.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs storage of sensitive personal context such as family, pets, health-adjacent details, and life events for future personalization, again without warning the caller. That turns a call assistant into a behavioral memory system and creates substantial risk if the data is misused, over-retained, or exposed.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Creating calendar events is a state-changing action on user-owned data, yet the spec documents it as requiring no confirmation. In a voice-agent context, transcription errors, prompt mistakes, or ambiguous caller phrasing could cause unwanted event creation without explicit consent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation language says the agent can run calls and phone tasks from 'one natural-language prompt,' which is overly broad for a skill that can place calls, access contacts, read/write calendar data, and interact with external services. Broad trigger phrasing increases the risk of accidental or prompt-injected invocation of sensitive telephony and scheduling actions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The prompt instructions explicitly tell the agent to silently collect and store caller identifiers such as name, email, and company information without any user-facing notice or consent flow. In a voice-assistant context handling phone calls, this creates a real privacy risk because callers may not expect persistent profiling across calls, and the agent is encouraged to conceal the data capture behavior.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill is designed to store phone numbers, names, emails, companies, notes, and interaction history, but the user-facing workflow does not require a clear notice that retention is occurring. Even if storage is local, silent collection and persistence of PII can violate privacy expectations, policy, or legal requirements and increases harm if the device is later accessed by an unauthorized party.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The instructions tell the agent to personalize calls using remembered details such as preferences or facts about a caller’s personal life, but there is no explicit caller opt-in before using that memory. This can surprise callers, expose profiling behavior, and reveal that the system is retaining personal information beyond what the caller reasonably expected.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The example note stores a sensitive life-event detail ('Recently married') alongside behavioral commentary, normalizing retention of personal information that may be unnecessary for call handling. Including such examples encourages over-collection and reuse of sensitive personal context without clear necessity, minimization, or opt-in.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The handler initializes a persistent local SQLite database in the user's home directory and is clearly designed to retain contact and call-related personal data, but this file contains no mechanism for notice, consent, or retention controls. In the context of a voice assistant handling phone calls, silently persisting caller data increases privacy and compliance risk because users and call participants may not expect CRM-style storage of phone numbers, notes, and interaction history.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The upsert flow stores and updates personal data such as phone numbers, names, emails, company information, and context notes without any confirmation, consent check, or visible indication to the user. Because this is a CRM skill for a phone-capable agent, the data is directly tied to identifiable individuals, making undisclosed persistence a meaningful privacy vulnerability rather than a purely expected internal implementation detail.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The interaction logger persists call summaries, outcomes, metadata, and arbitrary details JSON, which may include sensitive call content, without any visible warning or consent workflow. In a voice-call environment this is particularly risky because users may assume ephemeral handling of call context, while the code creates a durable interaction history linked to phone numbers and call identifiers.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The handler writes caller-provided name, callback number, and message metadata to the call log before any user-facing disclosure or consent check. In a voice-assistant context, this creates a real privacy risk because personally identifiable information and message content may be retained unexpectedly, increasing exposure through log access, retention, or downstream analytics.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill forwards caller message content and contact details to an external messaging gateway without any user-facing warning that third-party delivery will occur. Even though the code attempts to delimit untrusted content, that does not address the core privacy issue: sensitive caller data is being transmitted off-platform to another service without transparency or consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly promotes a dashboard that exposes call logs, full transcripts, captured messages, and contact resolution data, but it provides no privacy warning, access-control guidance, or data-handling cautions. In the context of a voice assistant handling phone conversations, these artifacts can contain highly sensitive personal or business information, so normalizing their display and persistence without warning increases the risk of accidental disclosure.

Missing User Warnings

High
Confidence
97% confidence
Finding
The README suggests running the dashboard server with `--host 0.0.0.0`, which binds the service to all network interfaces and can expose sensitive call records and transcripts to other devices on the local network or beyond, depending on firewall/NAT configuration. Because this dashboard is specifically for call logs and transcripts, network exposure materially increases the chance of unauthorized access to private communications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The wizard collects high-sensitivity secrets and personal data, including Twilio credentials, OpenAI API keys, webhook secrets, phone numbers, email, and organization details, but does not warn users how these values will be stored, protected, or used. In a setup assistant context, this increases the risk of unsafe handling, accidental disclosure, and inappropriate persistence of sensitive data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly instructs users to sync Apple Contacts to a local cache but does not warn that this copies potentially sensitive personal data onto the local machine or explain retention and access implications. In a telephony/contact-management skill, this omission matters because users may expose third-party contact data without informed consent or appropriate handling expectations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal