Back to skill

Security audit

CallRail

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed CallRail API helper that uses a Maton API key to access sensitive CallRail data, with no evidence of hidden execution or malicious behavior.

Install only if you trust Maton to proxy your CallRail data and manage the OAuth connection. Protect MATON_API_KEY, use a specific connection ID when multiple CallRail accounts are connected, and approve any create, update, or delete request only after checking the exact account, resource, and effect.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill states that all write operations require explicit user approval, but the documentation exposes mutating and destructive endpoints without any enforceable guardrail. In an agent setting, this mismatch can lead to unauthorized updates or deletions if the model follows the API docs directly instead of honoring the policy text.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill prominently enables access to call records, user data, phone numbers, names, and potentially recordings, but it lacks an explicit privacy warning about sensitive customer information. In this context, the data is inherently high-sensitivity, so omission of privacy guidance increases the risk of over-collection, inappropriate disclosure, or careless downstream handling.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.