ClawHub

clawcall-phone

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real phone-call integration, but it needs review because it gives callers and scheduled phone flows broad access to the agent, local context, and outbound calling features without enough guardrails.

Review carefully before installing. Use only with trusted callers, keep the bridge bound to 127.0.0.1, avoid the Windows CLI fallback, protect the ClawCall API key, and do not place secrets in USER.md, MEMORY.md, tasks, or call objectives. Require explicit approval for third-party, scheduled, paid, recorded, or callback calls, and assume call audio, transcripts, schedules, and generated replies may be processed by ClawCall/Twilio and any configured model backend.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions despite explicitly requiring environment variables and describing runtime components that access secrets and external services. This under-declaration weakens review and consent boundaries because operators may not realize the skill needs sensitive configuration and networked telephony capabilities.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented behavior goes beyond the stated purpose by indicating access to local identity/user/memory files, cron/task state, agent subprocess execution, and a local HTTP service. In a phone-call skill, that broader ambient access is risky because spoken prompts or remote call flows could cause unintended disclosure of local context or operational state to callers or third parties.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill enables autonomous third-party calling and relays conversation content through ClawCall without a prominent consent/privacy warning for the called party. This can create legal, privacy, and compliance exposure, especially in jurisdictions requiring notice for recording, AI disclosure, or consent to automated calls.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function reads `USER.md`, `IDENTITY.md`, and conditionally `MEMORY.md`, then assembles their contents into phone-call context based on message keywords. In a phone skill that can call users or third parties, this creates a real risk of oversharing personal profile data, notes, and long-term memory to external recipients without clear minimization, consent checks, or recipient-based access controls.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The description explicitly advertises autonomous calls to third parties and scheduled calls, but provides no warning about consent, privacy, harassment, recording, cost, or legal/compliance risks. In a phone-calling skill, omission of those safeguards is materially risky because it normalizes agent-initiated real-world actions against external parties without making user approval boundaries clear.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The listener logs raw inbound caller messages and generated replies to the console, which can expose sensitive call content such as personal data, authentication details, or confidential business information to anyone with access to terminal output, process logs, or centralized logging systems. In this skill’s context, the risk is elevated because it handles phone conversations, where users may reasonably disclose private information without expecting transcript-like logging.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide explicitly states that the bridge builds prompts from local user info, cron jobs, tasks, optional memory, and the user's transcribed speech, but it does not warn operators that sensitive personal data is being transmitted between components and potentially to model backends. In a phone-agent context, this increases the risk of unintentional disclosure of private data, especially if the local bridge is reconfigured off localhost or logs request bodies.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document tells users how to retrieve recording URLs and transcripts for calls hosted by Twilio without emphasizing that recorded audio and transcripts are highly sensitive and may contain personal, financial, or authentication information. Exposing retrieval guidance without access-control, retention, or sharing warnings can lead to oversharing, insecure storage, or unauthorized access to highly sensitive call artifacts.

External Transmission

Medium
Category
Data Exfiltration
Content
3. Call the registration endpoint:

```
POST https://api.clawcall.online/api/v1/register
Content-Type: application/json

{
Confidence
90% confidence
Finding
https://api.clawcall.online/

External Transmission

Medium
Category
Data Exfiltration
Content
for incoming messages manually:

```
GET https://api.clawcall.online/api/v1/calls/listen?timeout=25
Authorization: Bearer {CLAWCALL_API_KEY}
```
Confidence
88% confidence
Finding
https://api.clawcall.online/

External Transmission

Medium
Category
Data Exfiltration
Content
After receiving a message, submit your response:

```
POST https://api.clawcall.online/api/v1/calls/respond/{call_sid}
Authorization: Bearer {CLAWCALL_API_KEY}
Content-Type: application/json
Confidence
88% confidence
Finding
https://api.clawcall.online/

External Transmission

Medium
Category
Data Exfiltration
Content
When a background task finishes and you need to notify the user by phone:

```
POST https://api.clawcall.online/api/v1/calls/outbound/callback
Authorization: Bearer {CLAWCALL_API_KEY}
Content-Type: application/json
Confidence
87% confidence
Finding
https://api.clawcall.online/

External Transmission

Medium
Category
Data Exfiltration
Content
## Scheduling a Recurring Call (Pro tier)

```
POST https://api.clawcall.online/api/v1/calls/schedule
Authorization: Bearer {CLAWCALL_API_KEY}
Content-Type: application/json
Confidence
86% confidence
Finding
https://api.clawcall.online/

External Transmission

Medium
Category
Data Exfiltration
Content
## Calling a Third Party (Pro tier)

```
POST https://api.clawcall.online/api/v1/calls/outbound/third-party
Authorization: Bearer {CLAWCALL_API_KEY}
Content-Type: application/json
Confidence
94% confidence
Finding
https://api.clawcall.online/

External Transmission

Medium
Category
Data Exfiltration
Content
Re-register with the same email to rotate the key:

```
POST https://api.clawcall.online/api/v1/register
Content-Type: application/json

{
Confidence
85% confidence
Finding
https://api.clawcall.online/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal