Back to skill

Security audit

ClawVoice

Security checks across malware telemetry and agentic risk

Overview

ClawVoice appears to be a legitimate phone-agent skill, but it needs Review because it can make real calls and texts, asks for provider secrets in chat, exposes telephony endpoints, and stores or forwards call transcripts.

Install only if you intentionally want an agent that can call and text real phone numbers, receive inbound calls/SMS, and expose a webhook/media service. Do not paste API keys or auth tokens into chat; use the local setup wizard, environment variables, or a secret manager, and rotate any secrets already shared. Add your own approval step for outbound calls, texts, and batch campaigns, keep tunnel exposure narrow, disable SMS auto-reply and transcript forwarding unless needed, and review consent, recording, retention, and automated-calling laws before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (25)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code automatically replies to inbound SMS messages and forwards message metadata/content to an internal system event emitter without any demonstrated consent, access control, or purpose limitation in this file. In a voice/SMS agent, that creates a real privacy and abuse risk: unsolicited engagement with third parties and silent collection/relay of incoming communications can expose sensitive information and trigger unwanted messaging behavior.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes sending full call transcripts and summaries to third-party messaging platforms, but it does not clearly warn users that this may disclose sensitive personal, medical, financial, or business information outside the primary telephony workflow. In a voice-calling product that handles real conversations and message-taking, this omission increases the chance of accidental privacy breaches or noncompliant data sharing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to expose a locally hosted call-handling server on port 3101 to the public internet via ngrok, Cloudflare Tunnel, or Tailscale Funnel, but it does not prominently explain the security implications of making webhook and media endpoints internet-reachable. Because this service handles inbound calls, SMS, media streams, and transcripts, inadequate hardening or misunderstanding of exposure scope could lead to unauthorized access attempts, abuse, metadata leakage, or exploitation of any server-side flaws.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to ask the user to reveal highly sensitive credentials such as Twilio Account SID and Auth Token directly in conversation. Collecting secrets through chat unnecessarily exposes them to logging, transcript retention, prompt leakage, and downstream tool access, making credential compromise materially more likely.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The Telnyx setup flow asks for an API key directly, without any caution about sensitive credential handling. A Telnyx API key can enable telephony actions and account abuse if exposed, so requesting it in conversational context creates an avoidable secret-handling vulnerability.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Deepgram setup directs the user to create and provide an API key but omits any warning about its sensitivity. Even if the intended use is legitimate, exposing provider API keys in chat can lead to unauthorized usage, billing abuse, and leakage through stored transcripts or agent memory.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The ElevenLabs setup requests an API key and related agent configuration details in conversation with no explicit credential-safety warning. This creates unnecessary exposure of a write-capable API key that could be abused for unauthorized agent operations or account consumption if transcripts or tool context are accessed.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code transmits post-call summaries and optional transcript files to Telegram, an external third-party service, when notification settings are enabled. These payloads can contain sensitive conversation data, and this file shows no consent, minimization, redaction, or explicit disclosure controls before exfiltrating that data off-platform.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Inbound SMS content is emitted verbatim through the system event channel, which may be consumed by other components, logs, or agents without the sender's knowledge. That is a genuine confidentiality issue because private message content can be propagated beyond the telephony boundary with no visible disclosure, minimization, or access restriction shown here.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code promotes raw transcript-derived memory candidates into persistent storage, including highly sensitive categories such as health, relationships, preferences, and schedule data. Although promotion appears to require an approval step, there is no evidence here of user consent, minimization, redaction, or any notice before storing personal conversation content, so private user data can be retained indefinitely and exposed through downstream memory access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The tool directly initiates real outbound phone calls based solely on tool invocation, with no confirmation gate, allowlist, consent check, rate limit, or user-visible warning at execution time. In an agent setting, this creates a meaningful risk of accidental or prompt-induced external actions, including harassment, social engineering, or unintended charges.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This handler sends an SMS to an arbitrary number immediately after minimal non-empty-string validation, without confirmation or safeguards. In an autonomous agent context, that enables unintended outbound messaging, spam, disclosure of sensitive data, or prompt-injection-driven actions against third parties.

Missing User Warnings

High
Confidence
98% confidence
Finding
The batch tool can place up to 20 sequential real phone calls and persists campaign results to disk, all without a human confirmation step. Because it multiplies external actions and stores operational data, the blast radius is much larger than a single-call tool and could support spam, large-scale social engineering, or accidental bulk calling.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The report generator reads stored call records and writes a CSV containing summaries and transcript content to disk, but provides no privacy warning, minimization, retention control, or access restriction in the handler. This can expose sensitive conversational data to later users, other tools, or filesystem readers, increasing confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The service forwards `systemPrompt` and `greeting` directly to an external voice/AI provider, which can expose sensitive instructions, internal policies, or embedded secrets if upstream callers place such data there. In an agent skill context, prompts often contain operational guidance or confidential business logic, so transmitting them to a third party broadens data exposure and may create privacy, confidentiality, or prompt-leakage risk.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The package advertises a telephony-capable plugin that can give an AI agent a phone number, but the manifest description does not state any activation constraints, user-consent requirements, or call-scope limitations. In an agent ecosystem, broad telephony capability is inherently sensitive because it can enable real-world actions, social engineering, or unexpected outbound communication if invoked too freely.

Ssd 3

Medium
Confidence
98% confidence
Finding
This is a direct secret disclosure pattern: the skill tells the agent to collect provider credentials from the user in conversation, including auth tokens and other sensitive values. In an agent environment, chat contents may be logged, summarized, reused in prompts, or exposed to operators and tools, so soliciting secrets this way significantly increases compromise risk.

Ssd 3

Medium
Confidence
97% confidence
Finding
The Telnyx flow specifically asks the user to disclose an API key to the agent during chat. Because API keys grant operational access and may be retained in transcripts or system logs, this is a true secret-exposure vulnerability rather than a benign setup convenience.

Ssd 3

Medium
Confidence
96% confidence
Finding
The instructions tell the agent to ask for a Deepgram API key in chat, which exposes a live credential to conversational handling paths that are not designed as secret vaults. The context is a setup skill, but that does not justify collecting secrets through transcripts when safer local configuration options exist.

Ssd 3

Medium
Confidence
96% confidence
Finding
The ElevenLabs setup asks the user to provide an API key directly to the agent, creating a classic conversational secret-disclosure risk. A write-capable ElevenLabs key could be abused for unauthorized changes or billed usage if leaked via logs, prompt context, analytics, or human review.

Ssd 3

High
Confidence
97% confidence
Finding
The campaign report feature is explicitly designed to extract names, companies, summaries, and full transcripts into a downloadable CSV, which materially increases the ease of bulk exfiltration and secondary dissemination of sensitive call data. The skill context makes this more dangerous because telephony transcripts commonly include personal, financial, medical, or business-confidential information, and CSV export creates a portable artifact that is easy to share or ingest elsewhere.

Ssd 1

Medium
Confidence
84% confidence
Finding
The code injects sessionConfig.systemPrompt into a reserved dynamic variable, _system_prompt_, that the remote agent prompt template consumes. If an upstream caller can influence systemPrompt, they can alter agent behavior, bypass intended guardrails, or steer tool usage and responses, creating a prompt-injection/control-plane risk rather than simple data passing.

Unpinned Dependencies

Low
Category
Supply Chain
Content
"url": "https://github.com/ClawVoice/clawvoice/issues"
  },
  "dependencies": {
    "@clack/prompts": "^1.1.0",
    "ws": "^8.19.0"
  },
  "bundledDependencies": [
Confidence
82% confidence
Finding
"@clack/prompts": "^1.1.0"

Unpinned Dependencies

Low
Category
Supply Chain
Content
},
  "dependencies": {
    "@clack/prompts": "^1.1.0",
    "ws": "^8.19.0"
  },
  "bundledDependencies": [
    "ws",
Confidence
85% confidence
Finding
"ws": "^8.19.0"

Known Vulnerable Dependency: ws==8.19.0 — 1 advisory(ies): CVE-2026-45736 (ws: Uninitialized memory disclosure)

Low
Category
Supply Chain
Confidence
91% confidence
Finding
ws==8.19.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal, suspicious.prompt_injection_instructions

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/cli.js:1047

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
dist/index.js:474

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
dist/services/clawvoice.js:102

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
README.md:169