ClawHub

China Phone Checker

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward Chinese phone-number lookup that sends the queried number to the disclosed apipick API, with normal privacy and API-key considerations.

Install only if you are comfortable sending queried Chinese phone numbers to apipick.com and using an apipick API key that may consume credits. Prefer setting the key in APIPICK_API_KEY rather than pasting it into chat, and only check numbers you are authorized to submit.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README instructs users to submit Chinese phone numbers to a third-party API but does not disclose the privacy implications of transmitting personal data off-system. Phone numbers are personal data, and sending them to an external service can create compliance, consent, retention, and data-handling risks, especially in enterprise or regulated environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends both a user-supplied phone number and an API credential to a third-party service, but the description does not clearly warn the user about that external disclosure. This creates a privacy and consent risk because phone numbers are personal data and users may not realize their data, or their provided API key, will leave the local agent environment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill sends user-supplied Chinese phone numbers to a third-party API, which is a privacy-relevant external transmission of personal data. While this is core to the skill's purpose and not inherently malicious, the reference lacks any warning, consent guidance, or data-handling disclosure, increasing the risk of unauthorized sharing of personal information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal