Back to skill

Security audit

Agentphone Skills

Security checks across malware telemetry and agentic risk

Overview

This skill openly provides real phone, SMS, call, and webhook abilities, but it gives an agent broad real-world communication and account authority without enough clear guardrails.

Install only if you intentionally want an agent to control a real phone number. Use a dedicated AgentPhone API key stored in a secret manager or environment variable, require explicit approval before buying/releasing numbers, sending texts, making calls, handling OTPs, deleting data, or enabling webhooks, and monitor billing and webhook destinations carefully.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README advertises capabilities to place calls, send/read SMS, and configure webhooks without clearly warning users that this transmits data to an external telephony provider, may involve sensitive personal communications, and can incur real usage charges. In an agent skill context, this omission is dangerous because users may authorize actions affecting real phone numbers, message contents, and billing before understanding the privacy and financial implications.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly encourages the agent to send SMS and place live calls to real people and frames it as a recommended demo, but it does not require explicit recipient consent or clearly warn about privacy, recording/transcript implications, carrier costs, and misuse risks. In a telephony skill, prompting real-world contact without strong consent/charge guardrails increases the chance of unauthorized outreach, privacy violations, or unexpected billing.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill suggests using the provisioned number to receive OTP codes on a human's behalf, which can facilitate account takeover, bypass of identity controls, or violations of service terms if used for third-party accounts. Because OTPs are authentication factors, normalizing this use case without a strong warning meaningfully increases account-security risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The API reference documents tools like get_call, stream_transcript, get_messages, and conversation retrieval endpoints without any privacy or safety warning that they expose potentially sensitive communications content. In a telephony skill, transcripts and message histories can contain personal data, authentication codes, financial details, or confidential business information, so omitting prominent guidance increases the chance an agent will access, summarize, or forward sensitive content without appropriate safeguards.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The reference describes send_message, make_call, and make_conversation_call as ordinary tools but does not clearly warn that they trigger real outbound SMS or phone calls to external recipients. In this skill's context, that omission is more dangerous because the product is specifically designed to let AI agents communicate with real people, so an agent or user could unknowingly spam contacts, place unwanted calls, incur charges, or send harmful content into the real world.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.