Android SMS Gateway

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Android SMS gateway tool, but it should be treated as sensitive because it can send, read, and forward real SMS messages.

Install only if you intentionally want an agent to send, read, or forward SMS through your Android gateway. Keep gateway credentials out of shared files, repos, shell history, and transcripts; prefer protected config files or a secrets manager. Use local/private HTTPS endpoints where possible, opt into cloud mode only if you accept that third-party trust boundary, and register webhooks only to endpoints you control because incoming SMS may include OTPs or personal data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (10)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 89% confidence
Finding: The skill documents executable shell commands and scripts but does not declare corresponding permissions, creating a transparency and governance gap. In an agent environment, undeclared shell capability can lead operators to approve or run actions without understanding the full execution surface.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The description frames the skill as a self-hosted Android SMS gateway, but the documentation also supports cloud endpoints and webhook registration, which materially expand the data-flow and trust model. This mismatch can cause users to expose SMS content or credentials to external services they did not expect to be in scope.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script advertises a self-hosted Android SMS gateway health check, but a runtime mode silently rewrites the target to a third-party cloud endpoint. That creates an unexpected trust boundary change and can cause operators to send authentication attempts and operational metadata to an external service contrary to the skill's stated purpose.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill advertises receiving SMS and checking received messages without explicitly warning that message bodies, sender numbers, and potentially one-time codes are sensitive data. Users may enable these features without understanding that the skill can surface or store highly confidential communications.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: Webhook registration for incoming SMS is documented without an explicit warning that messages may be forwarded to an external server, potentially including sender metadata and message contents. This can create unintentional exfiltration of sensitive SMS data, especially for OTPs, alerts, and personal communications.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The documentation exposes capabilities to send SMS, read inbox contents, receive webhook delivery events, and delete message history, but it does not prominently warn about the privacy, compliance, and destructive-data implications of using these endpoints. In a skill intended for security teams, these actions are powerful and sensitive; lacking explicit guardrails increases the chance of misuse, overcollection of SMS content, or accidental deletion of evidentiary data.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The documentation shows how to register a webhook and includes an incoming SMS payload containing message text and phone numbers, but it does not clearly warn that this forwards highly sensitive communications data to an external server. In the context of an SMS gateway used by security teams, this can lead to unintentional exfiltration of OTPs, personal data, and other sensitive SMS content if operators configure third-party endpoints without understanding the privacy and security implications.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The examples instruct users to place gateway credentials in environment variables and a plaintext JSON config file without warning about secret exposure risks. On shared systems, these credentials may be disclosed through shell history, process listings, backups, weak file permissions, or accidental commits, enabling unauthorized SMS sending, webhook changes, or access to received message data.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: In verbose mode and especially in dry-run mode, the script prints the full SMS content and constructed payload to stdout. SMS messages often contain sensitive data such as OTPs, alerts, or incident-response details, so these logs can leak secrets to shell history capture, CI logs, terminal recording, or centralized log collectors.

External Transmission

Medium

Category: Data Exfiltration
Content: ```bash export SMS_GATEWAY_URL="http://192.168.1.100:8080" # Local server # export SMS_GATEWAY_URL="https://api.sms-gate.app/3rdparty/v1" # Cloud export SMS_GATEWAY_USER="your-username" export SMS_GATEWAY_PASS="your-password" export SMS_GATEWAY_TIMEOUT="30"
Confidence: 88% confidence
Finding: https://api.sms-gate.app/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal