Customer Service Caller

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real PollyReach calling integration, but it needs review because it can handle inbound calls/messages, expose transcripts and recordings, and use a persistent local account token.

Review before installing. Use this skill only if you are comfortable giving PollyReach a local account token and allowing the service to make calls, answer calls to its assigned number, retrieve inbound message/call content, and show transcripts or recording links. Do not enable periodic inbound polling unless you specifically want ongoing checks, and protect or revoke the token if the machine is shared or compromised.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The skill is presented as a customer-service calling tool, but it also provisions a phone number, answers inbound calls, stores a long-lived token locally, polls account status, and updates answering prompts. That broader behavior materially changes the privacy and security posture because users may authorize it for outbound calling without realizing it can autonomously receive calls and collect transcripts/recordings.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The script reads a long-lived API bearer token from a local credentials file and uses it to access a remote messaging API. While reading credentials is sometimes necessary, this capability is not clearly aligned with the stated phone-call automation purpose and expands the skill's access to account data; if the skill is installed under false expectations, it can access message data without informed user consent.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The skill is ներկայացված as a customer-service calling tool, but this code polls unread SMS messages and outputs their contents. That mismatch is security-relevant because users may grant trust based on the advertised purpose while the code accesses a different, privacy-sensitive data source, enabling covert collection or exposure of messages.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The script reads a persistent bearer token from a local file and uses it to authenticate to a remote PollyReach API. For a skill framed as customer-service calling, this hidden cloud-auth capability expands trust and allows remote account actions if the local token is stolen, misused, or scoped too broadly.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The script loads a long-lived bearer token from a local file and uses it to access a remote PollyReach backend, which creates persistent access risk if the host is compromised or the token file is exposed. In the stated skill context of customer-service phone automation, this backend credential use is not clearly necessary and expands the trust boundary beyond what the manifest suggests.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The manifest says the skill handles customer-service phone calls, but this script actually sends arbitrary user-supplied text to a remote completion/task API. That mismatch is dangerous because it conceals actual data flow and capability, preventing users and reviewers from accurately assessing what information leaves the system and what remote actions may be triggered.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad enough to overlap with ordinary user requests such as asking for help, refunds, cancellations, or complaints. That raises the risk of unintended activation of a real-world calling workflow that can contact third parties, spend credits, and disclose user information without sufficiently explicit user intent.

Missing User Warnings

High

Confidence: 94% confidence
Finding: Automatically answering incoming calls on the user's behalf is a high-sensitivity behavior with significant privacy, impersonation, and consent implications. The skill text treats this as a feature but does not provide a strong upfront warning or explicit opt-in boundary, making accidental enablement more dangerous in context.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs the agent to expose full call transcripts, summaries, recordings, and detail links after calls, but does not clearly warn users at the outset that sensitive third-party communications may be captured and surfaced. In a calling skill, this creates meaningful privacy and legal risk, especially where two-party consent or data minimization expectations apply.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The script prints phone numbers and full message contents directly to stdout, which can expose sensitive personal data in terminal history, logs, CI output, or shared sessions. Even if intended for debugging or convenience, this creates unnecessary data leakage risk for private communications.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The script silently sends an authorization token to a remote API with no in-script disclosure or consent checkpoint. In the context of an agent skill, undisclosed credential transmission to a cloud service increases the risk of users or operators misunderstanding where authentication data is going and what remote actions it enables.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal