Telecom Agent Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is for real telecom automation, but it gives an agent broad calling, recording, transcript, and account authority without enough documented limits or privacy controls.

Review before installing. Use only with a trusted implementation, a limited Twilio account or subaccount, verified opt-in call lists, explicit campaign approvals, spend and rate limits, authorized Telegram users, and clear policies for recording consent, transcript access, retention, and deletion.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill advertises automatic call recording but does not prominently warn about consent, legal restrictions, or privacy obligations. In a telecom context, an agent may initiate calls at scale across jurisdictions, making undisclosed recording especially risky because it can violate wiretapping/consent laws and expose sensitive personal data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill states that agents can read full call transcripts and that all logs are persisted, but it does not warn that these artifacts may contain highly sensitive personal, financial, or operational information. Because the skill supports bulk calling and centralized storage, missing disclosure and safeguards increase the chance of over-collection, unauthorized access, and compliance failures at scale.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal