ClawHub

Telegram Phone Checker

Security checks across malware telemetry and agentic risk

Overview

This skill is a documentation-only API helper that does what it says, but users should treat phone-number lookups as privacy-sensitive.

Install only if you are comfortable sending queried phone numbers to apipick.com with your apipick API key. Use it only for numbers you own or are authorized to check, and avoid contact discovery, stalking, doxxing, or bulk enumeration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README encourages submitting phone numbers to a third-party API to determine Telegram registration status, but it does not warn users that phone numbers are personal data and will be transmitted off-platform. This creates privacy and compliance risk because users or downstream agents may process other people's phone numbers without consent, transparency, or appropriate legal basis.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill sends highly sensitive user-supplied data—a phone number and API credential—to a third-party service, but the description does not warn the user about that data transfer. This can lead to uninformed disclosure of personal data and credentials, especially because the skill is explicitly marketed for checking whether someone uses Telegram.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill enables lookup of whether a person is registered on Telegram and may return profile identifiers tied to a phone number, but it lacks any warning that this is privacy-sensitive and potentially invasive. In this context, the omission increases the risk of stalking, harassment, doxxing, or other unauthorized contact-enablement workflows.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The API reference explicitly enables lookup of whether a phone number is registered on Telegram and returns profile-linked identifiers such as user ID, username, and visible names, but it provides no warning, consent requirements, or abuse limitations. This creates a privacy-sensitive enumeration capability that can facilitate stalking, doxxing, targeted harassment, and bulk profiling of individuals from phone numbers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal