Famulor Skill

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate Famulor onboarding helper, but it exposes broad account-changing and outbound communication powers beyond basic assistant setup.

Install only if you trust the publisher and are comfortable giving this skill a Famulor API key with broad account authority. Use a restricted API key if Famulor supports one, confirm before sending documents or customer data, review call-recording and webhook settings for legal/privacy obligations, and avoid using the raw CLI for destructive or outbound actions unless you intend them.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (12)

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The file explicitly broadens the skill from onboarding into general account operations after assistant creation. Even if useful operationally, bundling unrelated powers into one skill makes least-privilege enforcement harder and increases the blast radius of a mistaken invocation or prompt-injection-driven action. In this context, the skill can move from collecting setup details to managing live account assets without a clear trust boundary.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The documented capabilities include outbound communications and broad account operations that are not necessary for creating a new assistant. These functions can incur cost, contact third parties, or modify account state, so including them under an onboarding skill raises the risk of unintended actions and privacy issues. The danger is amplified because outbound channels like SMS, WhatsApp, and calls can affect external recipients immediately.

Description-Behavior Mismatch

High

Confidence: 93% confidence
Finding: The file is presented as part of a customer-onboarding skill, but the client wrapper exposes broad account-management actions across the entire Famulor account, including deletion, telephony, messaging, campaigns, and metadata management. In an agent-skill context, this violates least privilege and creates a large blast radius if the skill is invoked unexpectedly, misused by prompt injection, or used in the wrong workflow.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The skill includes methods to initiate outbound calls, send SMS and WhatsApp messages, manage leads, and start/stop campaigns, which are high-risk actions unrelated to basic onboarding. In an agent environment, these capabilities could be abused to contact external parties, trigger marketing activity, incur charges, or cause compliance and reputational harm without strong user intent verification.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: The get_me() method exposes account-level information such as balance and plan details, which is broader than what is typically needed for customer onboarding. In this skill context, unnecessary access to account and billing metadata increases data exposure and may aid reconnaissance for later misuse.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Folder and label management are unrelated organizational capabilities that expand what the skill can modify beyond onboarding an assistant. Although lower impact than messaging or deletions of core assets, they still permit unintended account changes and demonstrate overbroad authority for the stated purpose of the skill.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger phrases are extremely broad, including generic terms like 'create a bot', 'set up an assistant', and 'onboarding'. Overbroad routing can cause the skill to activate in contexts the user did not intend, exposing business data to external APIs or initiating account changes under the wrong workflow. In an authenticated skill with write capabilities, accidental invocation itself is a meaningful security risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs collection of customer business information and optional website/doc ingestion into a knowledge base, but it does not prominently warn that this data will be transmitted to an external API/service. That omission undermines informed consent and may lead users to share sensitive operational or client information without understanding where it will go. Given the onboarding context, the skill is specifically designed to solicit structured business data, making the disclosure gap more serious.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The payload defaults include call recording and support for webhooks, but the skill does not require a clear user warning about recording, downstream delivery, and retention of call data. This can create compliance, privacy, and legal exposure, especially in regulated sectors like medical or legal services that the skill explicitly targets. Because these settings are framed as standard configuration, users may enable surveillance and data export without appreciating the consequences.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill sets call recording to `true` by default for customer onboarding flows that may collect personal and potentially sensitive data such as phone numbers, birth dates, insurance status, legal matters, and medical context. Enabling recording without requiring an explicit disclosure/consent step creates privacy and compliance risk, especially in regulated contexts like healthcare, legal, and veterinary intake.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The CLI allows direct invocation of any exposed public client method, including destructive operations like delete_assistant, release_phone_number, delete_campaign, and delete_label, without confirmation prompts or safeguards. This is dangerous because operator mistakes, automation misuse, or tricked invocation can cause irreversible account changes using the configured API key.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: When file_path is provided, the client opens a local file and uploads its contents to the remote API without any explicit disclosure or confirmation at the CLI layer. In an agent or automation setting, this can lead to unintended exfiltration of local data if a path is supplied incorrectly, maliciously, or through prompt-manipulated inputs.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal