Back to skill

Security audit

Agent Phone Call

Security checks across malware telemetry and agentic risk

Overview

This is a real phone-call integration, but it needs review because it can make and receive real calls, expose transcripts and recordings, and persist phone-account access with only loose user-control boundaries.

Install only if you are comfortable giving PollyReach a persistent phone-account token and allowing it to process call instructions, caller data, transcripts, recordings, and message notifications. Before using it, require explicit approval for every outbound call, booking, retry, target switch, purchase-like action, and scheduled polling setup; avoid sharing secrets or sensitive account details during calls; protect the token file; and review or disable the persistent inbound answering prompt when it is no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger guidance is broad enough to activate on common phrases like 'help me contact' or 'help me book,' which can cause the agent to route ordinary requests into a phone-based external service unnecessarily. In context, that means potentially sharing sensitive task details, initiating calls, or changing behavior based on loose intent matching rather than explicit user consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill does not clearly warn, at the beginning, that user-provided task details, phone numbers, transcripts, recordings, and inbound caller data may be transmitted to a third-party service and that incoming calls may be auto-answered. This undermines informed consent and can expose private communications or personal data without the user fully understanding the consequence.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script retrieves unread SMS messages and prints both sender phone numbers and full message contents directly to stdout without masking, consent checks, or any warning that sensitive communications will be exposed in logs or terminal history. In an agent skill context, this increases the chance that OTPs, personal data, or private messages are surfaced to other tools, users, or logging systems that consume command output.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill instructs default disclosure of full outbound call transcripts, recipient details, and recording links to the human. Full transcript and recording disclosure can expose third-party personal information, payment/account details mentioned during calls, or sensitive business communications beyond what is necessary to complete the task.

Ssd 3

Medium
Confidence
96% confidence
Finding
The inbound-call workflow requires sharing caller identity, transcript, summary, and recording details by default, even though inbound callers may not have consented to such extensive disclosure or AI handling. Because this concerns unsolicited third-party communications, the privacy risk is higher: the skill may capture and redistribute personal, confidential, or regulated information from callers automatically.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.