Dialmycalls

Security checks across malware telemetry and agentic risk

Overview

This DialMyCalls skill is a coherent integration, but it gives an agent broad power to send broadcasts, change contacts, and make raw authenticated API requests without clear confirmation safeguards.

Install only if you trust Membrane and intend to let an agent operate your DialMyCalls account. Require explicit approval before any broadcast, contact update or deletion, purchase-related action, or raw proxy request, and ask the agent to show the exact recipients, message content, target records, timing, and expected cost before running it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill documents destructive operations like deleting contacts but provides no confirmation, authorization, or user-consent guidance before performing them. In an agentic setting, this increases the chance that an LLM could execute irreversible account changes from an ambiguous or insufficiently verified prompt.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The proxy request section enables arbitrary authenticated API requests yet omits any warning that these calls may create, modify, or delete remote resources. Because the proxy can bypass the safer pre-built actions, an agent could perform powerful and irreversible operations without visibility controls or confirmation, increasing the risk of accidental or prompt-induced misuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal