Back to skill

Security audit

ClawdTalk

Security checks across malware telemetry and agentic risk

Overview

ClawdTalk is a real voice/SMS integration, but it gives a remote phone/SMS service a broad path into the user's main agent with weak approval boundaries.

Review carefully before installing. Use it only if you trust ClawdTalk/Telnyx with call transcripts, SMS content, mission data, and a persistent bridge into your main OpenClaw agent. Prefer environment variables or a secret store for keys, avoid custom server URLs unless you control them, restrict the agent tools available to voice/SMS sessions where possible, and do not rely on the built-in approval flow for destructive or financial actions without an independent confirmation step.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation extends this telephony/SMS skill into unrelated high-risk actions like deleting repositories, sending money, and posting to social media. That broadens the operational scope from communications tooling into general delegated authority, increasing the chance an agent will use the skill context to justify destructive or irreversible actions outside its intended domain.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The script executes `child_process.execSync('cd ' + SKILL_DIR + ' && npm install ws@8')` at runtime, which mutates the local environment and runs shell commands without operator approval. This creates supply-chain and command-execution risk, especially if package resolution, PATH, registry settings, or directory contents are influenced by an attacker or unsafe environment.

Intent-Code Divergence

High
Confidence
88% confidence
Finding
The header comment claims the script writes nothing, but the code later performs `npm install`, which writes to disk and changes the runtime environment. This misrepresentation can cause operators to trust and run the skill under false assumptions, reducing scrutiny around a code path that executes external package installation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The setup script offers to modify the user's gateway policy to allow `sessions_send` over the HTTP tools API, which expands what can be invoked through the gateway beyond simple local configuration. In this skill's context, that permission is functionally required for voice-call routing to the main agent, but it still weakens a default security boundary and increases the blast radius if the local gateway or this skill is abused.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The changelog documents that the agent will automatically generate and send SMS replies on the user's behalf, but it does not indicate any confirmation step, opt-in control, or clear user warning. In a voice/SMS automation skill, autonomous outbound messaging can create privacy, consent, billing, and impersonation risks if the agent misinterprets context or is prompted maliciously.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The changelog advertises a self-update script and direct-download artifact without mentioning trust verification, integrity checks, or the fact that local files will be modified. While changelog text alone is not exploit code, normalizing unattended updates from GitHub can lead users to run code that changes their installation without understanding the supply-chain risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup guide explicitly instructs the agent to request, validate, and persist the user's API key, but it does not warn the user that the credential will be echoed into commands, stored in environment variables during execution, and written into `skill-config.json`. In an agentic environment, that increases the risk of accidental credential exposure through logs, transcripts, shell history, workspace files, or later tool access by other components.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script directly sources a local .env file with Bash's '.' operator, which executes arbitrary shell syntax rather than safely parsing key/value pairs. If an attacker can modify the skill directory or trick a user into installing a crafted .env, they can achieve arbitrary code execution when the user runs the connection manager.

Missing User Warnings

High
Confidence
98% confidence
Finding
The approval model is weakened in the embedded prompt and corresponding logic: sensitive actions can proceed with mere voice assent, and elsewhere in the code they proceed even when no devices are available. In a telephony skill, callers can be spoofed, overheard, socially engineered, or mis-transcribed, so treating voice confirmation as equivalent to strong out-of-band approval is dangerous.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Inbound SMS messages are automatically forwarded to the agent and replies are sent back from the user's number without any approval step. This enables unreviewed outbound messaging on the user's behalf, which can be abused for impersonation, data leakage, harassment, or propagation of malicious content if the agent is manipulated by message content.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Executing a shell command that installs packages at runtime without a warning or consent is a policy and safety violation because it performs a side effect outside the stated purpose of handling calls/messages. Even if intended as convenience, it changes the host system and introduces avoidable package-execution risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script reads the user's gateway authentication token from the main gateway config and silently copies it into the skill-local `skill-config.json` without an explicit warning or separate consent step. That unnecessarily duplicates a sensitive credential into another file under the skill directory, increasing exposure to leakage, accidental commit, weaker file permissions, or later misuse by the skill's runtime.

Ssd 1

High
Confidence
96% confidence
Finding
The system prompt grants broad tool access and frames approval as a soft process, while the downstream routing later tells the agent not to request approval because it has already been handled. This combination increases the chance that prompt-influenced agent actions bypass layered safeguards and perform sensitive operations with insufficient verification.

Ssd 4

High
Confidence
97% confidence
Finding
The approval narrative explicitly degrades from push approval to voice confirmation and, in conjunction with code paths elsewhere, to proceeding without approval when devices are unavailable. In a phone-call context, this is especially risky because speech recognition errors, caller spoofing, and coercion are realistic, making the fallback chain unsafe for destructive or identity-bound actions.

Ssd 1

High
Confidence
99% confidence
Finding
The code prepends a natural-language instruction to the downstream agent stating, 'Do NOT request approval — it has already been handled. Just perform the action directly.' If the prior approval decision was weak, incorrect, bypassed, or based on a broad heuristic, this suppresses defense-in-depth and encourages direct execution of sensitive actions in the main agent session.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.credential_exposure_instructions, suspicious.dangerous_exec, suspicious.env_credential_access (+1 more)

Instructions expose credentials through shell, git config, or agent memory.

Critical
Code
suspicious.credential_exposure_instructions
Location
SKILL.md:71

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/ws-client.js:1043

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
scripts/ws-client.js:28

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
scripts/ws-client.js:162