ClawHub

Mobile Phone Number Undeliverable or Empty Detection - 手机空号检测

Security checks across malware telemetry and agentic risk

Overview

This skill is a straightforward JisuAPI phone-number status checker, with the main caution that submitted numbers are sent to a third-party API.

Install only if you are comfortable sending the target phone numbers to JisuAPI using your own API key. Use it only for numbers you are authorized to process, review the provider’s privacy and retention terms, and avoid relying on its classifications alone for marketing, fraud, eligibility, or other consequential decisions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger description is broad enough that ordinary conversation about phone-number validity could invoke the skill without clear user intent to send data to a third-party API. Because the payload consists of phone numbers, accidental activation can expose sensitive personal data and cause unintended external transmission.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The usage scenarios describe when to use the skill but omit exclusion criteria and safeguards, increasing the chance of over-triggering in ambiguous contexts. In a privacy-sensitive workflow involving phone numbers, lack of trigger boundaries can lead to unauthorized or unexpected disclosure to the vendor API.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs users to submit phone numbers to an external API without clearly warning that the numbers will be transmitted to a third party. Phone numbers are personal data, so silent transfer creates privacy, consent, and compliance risk, especially in bulk-processing scenarios.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guidance encourages using the results directly for downstream messaging or operational decisions without warning about false positives, stale data, or regulatory constraints. This can enable harmful business actions such as suppressing legitimate users, misclassifying reachable numbers, or using inferred status in ways that violate telecom/privacy rules.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill transmits users' phone numbers to a third-party API without any in-script disclosure, consent mechanism, or privacy notice. Because phone numbers are sensitive personal data, silent external transmission can create privacy, compliance, and trust risks, especially in batch-processing scenarios.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal