ClawHub
Back to skill

Security audit

Second Phone Number

Security checks across malware telemetry and agentic risk

Overview

This is a coherent PollyReach second-phone-number integration, but it handles sensitive call and message data through PollyReach's service.

Install only if you are comfortable letting PollyReach process your phone numbers, call instructions, inbound messages, call summaries, transcripts, recordings, and custom answering prompts. Keep the PollyReach token file private, avoid using the number for one-time codes or highly sensitive calls, and enable periodic inbound-call polling only if you explicitly want ongoing checks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The skill markets itself primarily as getting a second phone number, but it also enables broader data-processing behaviors such as polling call content, updating answering prompts, and querying account state. This matters because users may not understand that phone numbers, transcripts, recordings, and behavioral prompts are being sent to and managed by a third-party service.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill recommends scheduled polling every 5–10 minutes for incoming calls, creating persistent background monitoring beyond a one-shot user action. Persistent polling can continuously process sensitive call metadata and summaries and may surprise users if they did not explicitly consent to ongoing monitoring.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script reads a bearer token from a local credentials file and uses it for remote API access, even though the skill’s declared purpose is obtaining/using a second phone number. Accessing unrelated local secrets expands the skill’s privilege surface and creates risk if the script is triggered without clear user understanding. In this context, the mismatch between manifest purpose and credential access makes the behavior more suspicious and dangerous.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The implemented behavior checks account credit balance rather than performing the user-facing second-phone-number functions described in the manifest. This capability mismatch can conceal undisclosed account inspection behavior and undermines informed user consent about what the skill actually does. Because the skill context does not justify credit-balance polling, the discrepancy increases risk.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script's actual behavior is to send a user-supplied message as a prompt update to a PollyReach backend, which does not match the manifest's user-facing description of obtaining a second phone number. This mismatch is security-relevant because it can mislead users into authorizing execution that changes remote AI behavior or account configuration instead of performing the advertised telecom function.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script reads a local bearer token from a credentials file and uses it to authenticate outbound requests, but this capability is not clearly tied to the declared user-facing function of obtaining or managing a second phone number. In the context of an agent skill, undisclosed access to local credentials increases risk because it gives the skill authenticated access beyond what a user would reasonably expect.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code polls a remote /chat/openclaw/query endpoint, which does not obviously correspond to phone-number provisioning or call-handling behavior described by the skill metadata. This mismatch between declared purpose and implemented network behavior is dangerous because it can conceal unrelated data processing or remote control functionality under a benign-looking skill.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger conditions are broad enough that the skill may activate on ordinary requests involving phone numbers or vague wording like 'get me a phone number.' Overbroad activation is risky here because it can lead to account registration, external API use, and disclosure of contact/call data to a third party without clear, deliberate user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill does not clearly warn that using inbound/outbound calling sends phone numbers, call purposes, transcripts, summaries, and recordings to an external service. Because call content is highly sensitive, insufficient disclosure undermines informed consent and can expose personal or business communications to third-party processing unexpectedly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script transmits a bearer token to a remote API endpoint without any visible user-facing disclosure or consent mechanism in the script. Even if the destination is a legitimate service, silent credential-bearing network requests can expose sensitive account access and violate user expectations. Given the skill’s consumer-facing description, this hidden remote use of credentials is more concerning.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script prints unread SMS contents and sender phone numbers directly to stdout, which can expose sensitive personal data in terminal scrollback, shell history capture tools, CI logs, wrappers, or other monitoring systems. In the context of a second-phone-number skill handling private communications, this increases the privacy risk because the data is likely to contain OTPs, personal messages, and phone numbers.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script transmits a bearer-authenticated request containing the user-provided message to an external API, but there is no clear user-facing notice in the skill that account-linked data and credentials will be used for a remote configuration update. In the context of a skill advertised as getting a second phone number, this undisclosed network action is more suspicious because users may not expect prompt/configuration updates to a third-party service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends an authenticated bearer-token request to a remote API without any visible user-facing disclosure, confirmation, or audit trail. Silent authenticated outbound calls are risky in agent skills because users may not realize their account context is being used to query a remote service repeatedly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends both user-provided message content and a bearer token to a remote service, but it provides no explicit notice, confirmation, or data-handling warning to the user at send time. In a skill that handles phone/communications workflows, messages may contain sensitive personal or business information, so silent transmission to a third-party API increases privacy and credential exposure risk if users do not understand what is being sent externally.

External Transmission

Medium
Category
Data Exfiltration
Content
# Use jq to safely construct JSON (prevents shell injection)
  BODY=$(jq -n --arg prompt "$MESSAGE" '{"prompt": $prompt}')

  HTTP_RESPONSE=$(curl -s -w "\n%{http_code}" -X POST https://api.pollyreach.ai/platform/v1/users/phone/pollyreach/update \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $TOKEN" \
    -d "$BODY") || { sleep 2; continue; }
Confidence
82% confidence
Finding
curl -s -w "\n%{http_code}" -X POST https://api.pollyreach.ai/platform/v1/users/phone/pollyreach/update \ -H "Content-Type: application/json" \ -H "Authorization: Bearer $TOKEN" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
# Use jq to safely construct JSON (prevents shell injection)
  BODY=$(jq -n --arg prompt "$MESSAGE" '{"prompt": $prompt}')

  HTTP_RESPONSE=$(curl -s -w "\n%{http_code}" -X POST https://api.pollyreach.ai/platform/v1/users/phone/pollyreach/update \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $TOKEN" \
    -d "$BODY") || { sleep 2; continue; }
Confidence
82% confidence
Finding
https://api.pollyreach.ai/

External Transmission

Medium
Category
Data Exfiltration
Content
# Use jq to safely construct JSON (prevents shell injection)
  BODY=$(jq -n --arg msg "$MESSAGE" '{"message": $msg}')

  # Capture curl exit code directly before any variable assignment
  HTTP_RESPONSE=$(curl -s -w "\n%{http_code}" -X POST https://api.pollyreach.ai/platform/v1/chat/openclaw/completions \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $TOKEN" \
Confidence
89% confidence
Finding
curl exit code directly before any variable assignment HTTP_RESPONSE=$(curl -s -w "\n%{http_code}" -X POST https://api.pollyreach.ai/platform/v1/chat/openclaw/completions \ -H "Content-Type: app

External Transmission

Medium
Category
Data Exfiltration
Content
BODY=$(jq -n --arg msg "$MESSAGE" '{"message": $msg}')

  # Capture curl exit code directly before any variable assignment
  HTTP_RESPONSE=$(curl -s -w "\n%{http_code}" -X POST https://api.pollyreach.ai/platform/v1/chat/openclaw/completions \
    -H "Content-Type: application/json" \
    -H "Authorization: Bearer $TOKEN" \
    -d "$BODY") || { sleep 2; continue; }
Confidence
87% confidence
Finding
https://api.pollyreach.ai/

Exfiltration Commands

High
Category
Prompt Injection
Content
- {"status":false,"task_id":"1f7aaf63-fab1-4f02-881c-22eba8ce4622","message":"Error message"}
**Features:**
- A status of true from the send API means PollyReach received the message. The actual result must be retrieved from query.sh.
- **Important:** After every call to send.sh return true, you **must** call query.sh. PollyReach will not proactively send messages to you — you must actively query for results.
- **Concurrency Limitation:** Polly can only handle one call at a time. If a call is in progress, subsequent send.sh requests will return `{"status":false,"message":"reason"}`. Agents should retry after the current call completes. Send requests one at a time.
Confidence
80% confidence
Finding
send messages to

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal