ClawHub

Google Voice

Security checks across malware telemetry and agentic risk

Overview

This skill is for Google Voice automation, but it gives an agent broad access to private messages, texting, calling, recording, and raw authenticated API calls.

Install only in a trusted local workspace, preferably with a dedicated Google Voice account or isolated browser profile. Avoid gv_raw_call, gws mode, GV_COOKIE, GV_AUTHORIZATION, and cookie exports unless you specifically need them. Confirm exact recipients, message text, phone numbers, and recording consent before use, and treat HAR files, SMS exports, cookies, API keys, OAuth tokens, transcripts, and recordings as secrets.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documents capabilities to read local files/HAR captures, access environment variables containing API keys or auth material, and make authenticated network requests, but it does not declare corresponding permissions. This mismatch weakens security review and sandboxing because operators may approve or run the skill without realizing it can access sensitive browser-session data, message records, and communication endpoints.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The MCP server exposes a generic `gv_raw_call` tool that allows callers to invoke arbitrary Google Voice API paths with arbitrary request bodies, which substantially exceeds the narrowly described read/send workflow. In the context of an agent-accessible tool, this bypasses any higher-level guardrails the skill author may have intended and creates a broad capability surface for unauthorized message access, account actions, or abuse of undocumented endpoints using the user's live session or credentials.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code executes a local external binary (`gws auth export`) and consumes exported OAuth refresh credentials, which gives the skill a broader host and credential-access capability than is necessary for normal Google Voice browser automation. In an agent setting, this can silently escalate from using an existing browser session to extracting reusable OAuth secrets from the local environment, increasing the risk of credential theft or misuse beyond the immediate task.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This script reads a Google Voice HAR file and prints request-body samples from sensitive voiceclient API calls to stdout. Although it attempts some redaction, the regex-based masking is incomplete and brittle, so phone numbers, message contents, identifiers, tokens, or other private request data may still be exposed in terminal logs, CI output, shell history capture, or shared transcripts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script records call audio via getUserMedia/MediaRecorder and writes it to a fixed file path on disk without any in-script disclosure, confirmation, or consent handling for recording. In the context of a Google Voice automation skill that can place calls and inject audio, silent recording materially increases privacy, legal, and compliance risk because operators may capture sensitive conversations without adequate notice or jurisdiction-specific consent checks.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill reads sensitive OAuth refresh credentials, exchanges them for access tokens, and transmits them to Google endpoints without any user-facing approval or warning at the point of use. In a local agent ecosystem, silent credential access is risky because users may believe the tool only automates an existing browser session, while it can actually consume reusable secrets and perform authenticated operations on their behalf.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal