ClawHub

RingBot

Security checks across malware telemetry and agentic risk

Overview

RingBot is a coherent phone-calling skill, but it needs careful review because it can place real outbound calls using sensitive provider credentials without clear consent, confirmation, or scheduling safeguards.

Install only if you trust and separately review the RingBot backend code, can limit Twilio spending and provider keys, and will require explicit user approval for each call or schedule. Avoid sensitive medical, personal, marketing, or recurring calls unless you have consent, legal authority, minimal data handling, and a clear way to stop future calls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger list is unusually broad for a high-impact capability: terms like "call," "phone," "dial," and especially "ring" can match many benign user requests and unintentionally invoke a skill that places outbound phone calls. Because this skill can initiate real-world external actions and transmit user-provided context over telephony infrastructure, accidental invocation materially increases the risk of unauthorized calls, privacy exposure, charges, and social-engineering misuse.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill promotes AI phone calling, appointment handling, reminders, and customer-service interactions but provides no warnings about consent, recording/legal restrictions, third-party data sharing, or the sensitivity of information included in the call context. In this context, users may submit names, phone numbers, appointment details, health-related information, or other sensitive data that is then transmitted to external providers and over phone networks without adequate disclosure or safeguards.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal