ClawHub

Grizzly Sms

Security checks across malware telemetry and agentic risk

Overview

This skill is a real Grizzly SMS integration, but it also guides agents through third-party account registration with rented numbers and weak credential-safety guidance.

Review carefully before installing. The narrow Grizzly SMS API features are understandable, but avoid using this skill for automated account creation or platform-rule evasion, rotate any API key exposed in the bundled Postman file, and prefer a protected secret store over pasting long-lived API keys into chat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (21)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The configuration broadens an SMS verification skill into end-to-end browser automation for account registration, including visible browser use and form filling on third-party sites. That materially increases abuse potential by enabling automated account creation workflows rather than narrowly limiting the skill to phone/SMS retrieval, which is especially risky given the virtual-number context.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documentation explicitly supports browser-driven third-party registration workflows even though the declared purpose is SMS verification and virtual phone numbers. In this context, that makes the skill more dangerous because it couples disposable-number procurement with automated signup assistance, a common pattern for policy evasion, spam, and fraudulent account creation.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The documented workflow expands from SMS verification into full automated account creation on third-party services using rented numbers and browser automation. That materially changes the skill from a utility integration into an account-fabrication workflow that can facilitate platform abuse, evasion of anti-fraud controls, and large-scale creation of unverifiable accounts.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Automating external sign-up flows is not necessary to provide SMS verification inventory or number rental services, so the browser steps represent unjustified expansion into potentially abusive activity. In context, directing the agent to fill registration forms and submit verification codes with rented numbers is especially dangerous because it operationalizes account creation rather than merely exposing API data.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The skill presents itself as an SMS/virtual number tool but later instructs the agent to register accounts on third-party platforms. This mismatch obscures the real operational behavior, increasing the chance of accidental approval, overbroad invocation, or user misuse under a seemingly benign description.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The OpenAPI document exposes email activation purchase, reorder, lookup, and cancellation endpoints even though the skill is described as providing SMS verification and virtual phone numbers. This scope expansion enables disposable email procurement capabilities that are materially different from the declared purpose and can facilitate account creation or verification abuse without user awareness.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill includes direct purchasable email activation flows, including batch purchase, for arbitrary sites and domains. In the context of an SMS/virtual-number skill, these undocumented acquisition features increase abuse potential by providing additional disposable identity infrastructure that could be used for mass registrations, evasion, or fraud.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is framed as an SMS/virtual-number integration, but its documented workflow explicitly extends into browser-driven registration on third-party platforms. That materially broadens the capability from message retrieval into automated account creation, which can enable abusive signup flows, evasion of platform controls, and use of rented numbers for fraudulent or policy-violating registrations.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The browser automation instructions let the agent navigate to external services, fill registration forms, submit them, poll for SMS, and complete verification. For an SMS API skill, this is unnecessary privilege expansion that directly supports mass or low-friction account creation on unrelated platforms, increasing the risk of spam, sockpuppet accounts, and terms-of-service circumvention.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The file tells users to provide a Grizzly SMS API key in conversation and states the agent will pass it via subprocess environment, but it omits any warning about exposing credentials to the model, logs, transcripts, child processes, or debugging output. This can lead to accidental credential disclosure or broader secret propagation beyond the minimum necessary scope.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes a browser-assisted workflow that includes filling registration forms and entering SMS verification codes, but it does not warn users about the privacy, account-security, and policy risks of automating access to third-party accounts. In an agent skill context, this is more dangerous because the agent may handle sensitive one-time codes and perform account actions on the user's behalf, increasing the chance of unintended account takeover, misuse, or violation of service terms.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README tells users to provide the Grizzly SMS API key in chat/dialog without clearly warning that the key is a credential that can be exposed through chat history, agent memory, logs, or downstream tools. In a skill environment, asking for secrets conversationally is riskier than standard secure configuration because users may unknowingly disclose reusable credentials to components that are not intended to store or process them securely.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation text is broad enough to trigger on routine requests about account registration, which can cause the agent to enter a high-risk workflow too easily. In this skill, that risk is amplified because the downstream behavior includes renting numbers and automating sign-up flows for third-party services.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill provides step-by-step browser automation for creating accounts with rented phone numbers without any warning about fraud, terms-of-service violations, or abuse risks. That omission lowers friction for harmful use and makes the workflow more directly usable for evasion, spam, or mass account generation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The manifest explicitly says the skill collects an API key in dialog, but it provides no warning about sensitive credential handling, storage, masking, or transmission. In a skill that brokers access to SMS verification and virtual numbers, API keys likely grant account and balance access, so unclear handling increases the risk of credential exposure, accidental logging, or phishing-like collection flows.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The Postman collection includes a concrete default API key value in the exported variables section, which constitutes hardcoded credential exposure. Anyone with access to the file can reuse the key to query balance, request numbers, inspect activation history, and manipulate activation state against the associated Grizzly SMS account.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger text is broad and explicitly includes virtual numbers and account registration without clear limitations on acceptable uses. That open-ended scope makes it easier to invoke the skill for questionable or abusive workflows, especially when combined with the later registration automation guidance.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill directs the agent to automate account registration and verification on external services but provides no warning about account security, privacy implications, or third-party platform rules. This omission lowers user awareness and normalizes a risky workflow that may violate service policies or expose personal data during signup.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill tells users to paste an API key directly into chat and instructs the agent to reuse it in subsequent tool executions, but it does not warn that the key is a sensitive credential tied to the user's Grizzly account. Collecting secrets in conversational channels increases the chance of accidental disclosure, retention, or misuse if chat history or tool logs are exposed.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to collect a raw API key in chat and then reuse it across exec calls via env overrides. Handling credentials in natural-language conversation increases the chance of accidental disclosure through logs, transcripts, prompt leakage, or unintended reuse in subsequent tool interactions.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to take a user-supplied API key from chat and pass it directly into repeated exec environments. This creates a direct secret-handling risk because the credential may persist in agent memory, chat transcripts, or execution logs, and it encourages broad reuse of a sensitive token across commands.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal