botcall-mcp

Security checks across malware telemetry and agentic risk

Overview

This skill clearly connects an agent to Botcall for phone-number and SMS verification workflows, but users should treat the API key and SMS codes as sensitive.

Install only if you are comfortable giving your agent access to Botcall phone numbers and SMS messages. Protect BOTCALL_API_KEY like a password, avoid exposing verification codes in prompts or logs, review the npm package before running it, and use the tool only for accounts or services you are authorized to manage.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly enables provisioning real phone numbers, receiving SMS, and extracting verification codes for third-party signups, but it provides no privacy, abuse-prevention, or legal/terms-of-service warning. This omission makes it easier for agents or users to use the tool for account creation, bypassing service controls, or handling sensitive verification messages without understanding consent, retention, and compliance risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal