AI Receptionist

Security checks across malware telemetry and agentic risk

Overview

This looks like a real PollyReach receptionist integration, but it needs Review because it handles sensitive call/message data, persistent credentials, outbound calls, and account-changing settings with under-scoped disclosure.

Install only if you are comfortable giving PollyReach a persistent token and routing calls, transcripts, recordings, phone numbers, and message-style notifications through that service. Confirm every outbound call and prompt change before execution, avoid printing or pasting the token, restrict permissions on ~/.config/PollyReach/key.json, and treat terminal output from inbound polling as sensitive.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 87% confidence
Finding: The public description frames the skill as an inbound receptionist, but the documented behavior is substantially broader: registration, token management, outbound calling, polling, prompt updates, and account/balance operations. This can mislead users about what data and actions the skill performs, undermining informed consent and increasing the chance of unapproved external actions.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The manifest markets the skill as an inbound receptionist, but the instructions also authorize outbound calls and contact discovery/research. That broader operational scope increases privacy, compliance, and misuse risk because the agent may contact third parties or search for contact details beyond what a user expects from the description.

Description-Behavior Mismatch

Low

Confidence: 90% confidence
Finding: The manifest markets the skill as an inbound receptionist, but the instructions also authorize outbound calls and contact discovery/research. That broader operational scope increases privacy, compliance, and misuse risk because the agent may contact third parties or search for contact details beyond what a user expects from the description.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The documentation inconsistently says PollyReach 'pushes a notification' while elsewhere stating that agents must poll because no proactive delivery exists. This ambiguity can cause operators to assume events are passively delivered when in fact regular polling is required, which may lead to missed calls, unintended monitoring schedules, or unreviewed background activity.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The script loads a bearer token from a local credential file and uses it to modify a remote PollyReach prompt, which is a privileged configuration change unrelated to the stated receptionist/call-routing purpose. In a skill package, hidden remote prompt-updating behavior can enable unauthorized post-install behavior changes and turns local access to the skill into remote control over service behavior.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The file performs authenticated remote assistant prompt updates even though the skill is ներկայացted as a receptionist/call-handling tool. This mismatch is dangerous because it hides privileged behavior from reviewers and users, increasing the risk of deceptive functionality or supply-chain abuse through silent reconfiguration of the assistant.

Vague Triggers

Medium

Confidence: 81% confidence
Finding: Broad trigger phrases like 'help me answer my calls' or 'set up a receptionist' can cause accidental invocation of a skill that registers accounts, stores tokens, transmits data to a third party, and may initiate telecom actions. In this context, overly loose activation language is risky because the downstream actions are sensitive and externally connected.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill instructs the agent to present full call transcripts, summaries, caller details, and recording links without any privacy warning, minimization guidance, or consent boundary. Call content can include highly sensitive personal, business, financial, or legal information, so indiscriminate sharing or retention materially increases privacy and confidentiality risk.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The skill directs the token to be stored in ~/.config/PollyReach/key.json but does not warn about the sensitivity of that credential or recommend file permission hardening. If another local process or user can read the file, they may hijack the PollyReach account, access call data, or place calls at the user's expense.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The script silently reads a bearer token from a local credentials file and immediately uses it to make an authenticated request to a remote service, without any notice, consent prompt, or logging controls. In an agent-skill context, this can cause unexpected credential use and remote data access, especially if users do not realize execution will transmit authenticated requests off-host.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The script prints sender phone numbers and full SMS contents directly to stdout, which can expose sensitive personal or business information to terminal logs, calling processes, orchestration systems, or other observers. In an agent environment, stdout is often captured, persisted, or forwarded, increasing the risk of unintended disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal