ClawHub
Back to skill
v1.0.6

Paired — Bluetooth Phone Bridge

SuspiciousClawScan verdict for this skill. Analyzed Apr 30, 2026, 10:25 PM.

Analysis

This skill is mostly transparent about powerful phone access, but it is suspicious because a shipped ADB SMS sender can bypass the stated trust/confirmation safety and Gemini network use is under-described.

GuidanceInstall only on a host and phone you own. Before enabling services, review the trusted-numbers list, protect `~/.config/paired`, and avoid storing the phone PIN unless necessary. Do not expose the SMS/Telegram command hooks to untrusted parties. Until patched, avoid giving the agent access to `bt-adb-sms-send`, especially `--silent`, and confirm whether Gemini auto-reply will send SMS content to an external provider.

Findings (10)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack
SeverityLowConfidenceMediumStatusNote
SKILL.md
`~/.config/paired/inbox.key` ... `HMAC secret for paired-inbox-hook command dispatch` ... `telegram (optional, for command vocabulary and incoming-call/SMS alerts)`

The skill can receive command-like input through inbound hooks/Telegram. The HMAC design is a mitigating control, but these channels can redirect the agent's work if exposed or misconfigured.

User impactIf the command channel or HMAC key is exposed, remote messages could cause the phone bridge to perform actions.
RecommendationKeep command hooks disabled unless needed, protect the HMAC key, and only accept commands from trusted authenticated channels.
Tool Misuse and Exploitation
SeverityHighConfidenceHighStatusConcern
bin/bt-adb-sms.py
ap.add_argument("number"); ap.add_argument("text"); ap.add_argument("--silent", action="store_true"); ... if args.silent: r = bt_adb.sms_send_silent(args.number, args.text, serial=args.serial) else: r = bt_adb.sms_send(args.number, args.text, serial=args.serial)

This low-level SMS tool accepts arbitrary destination/text and a silent-send path, then calls ADB SMS send functions directly. No trusted-numbers allowlist or explicit `--confirm` gate is shown in this file, contradicting the stated SMS safety model.

User impactAn agent or user invoking this tool could send or prepare SMS messages to untrusted numbers, and `--silent` may send without a phone-side tap on devices where it works.
RecommendationPatch bt-adb-sms.py to enforce the trusted-numbers allowlist or require an explicit confirmation flag before every send, especially for `--silent`; until then, avoid exposing this primitive to autonomous agent use.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none; No install spec — this is an instruction-only skill.

The package has a provenance gap and relies on user-run installation instructions, although the provided artifacts do not show remote download scripts or hidden install sources.

User impactYou cannot easily verify the upstream source or project history from the registry metadata alone.
RecommendationReview the shipped scripts before symlinking them into your PATH, and prefer installing from a known repository if one becomes available.
Unexpected Code Execution
SeverityMediumConfidenceHighStatusNote
bin/bt-adb-setup.py
bt_adb.push(tmp, "/sdcard/Download/.paired-probe.txt"); bt_adb.shell("rm /sdcard/Download/.paired-probe.txt"); bt_adb.shell("dumpsys notification | head -1", timeout=5)

The skill runs ADB shell/file operations on the connected phone. This is central to an ADB phone bridge and is not hidden, but it is still code execution against a real device.

User impactADB operations can read or change phone state and files when the phone has granted debugging access.
RecommendationKeep ADB debugging restricted to your own trusted host and run setup/control commands only when you intend to operate the phone.
Cascading Failures
SeverityMediumConfidenceHighStatusNote
SKILL.md
Optional: enable the inbox hook (HMAC-signed command dispatcher) ... `systemctl --user enable --now paired-inbox-hook.service`

A persistent inbox command dispatcher can propagate inbound events into phone actions across sessions. HMAC signing is a mitigation, but the service extends impact beyond one interactive request.

User impactA bad configuration, compromised key, or overly broad trusted channel could repeatedly trigger actions such as replies, calls, or notifications.
RecommendationEnable persistent hooks only when needed, keep keys private, monitor logs, and disable services when not actively using them.
Human-Agent Trust Exploitation
SeverityMediumConfidenceHighStatusConcern
SKILL.md
`network_access: bluetooth-LAN-only-plus-user-own-telegram`; `external_services: telegram (optional...)`; `gemini-keys.conf` ... `Gemini API key(s) for paired-respond`

The network/privacy framing can lead users to believe only Bluetooth/LAN/Telegram are involved, while Gemini is also supported for SMS LLM auto-reply.

User impactUsers may enable the skill under an incomplete understanding of where phone-message data can go.
RecommendationCorrect the safety section to include Gemini and plainly explain all external services and privacy tradeoffs.
Rogue Agents
SeverityLowConfidenceHighStatusNote
SKILL.md
`persistent-systemd-services` ... `Optional: enable systemd user services. Strip the .txt suffix on copy.`

The skill supports background services that continue after the immediate chat task. The persistence is disclosed and optional, with no evidence of self-propagation.

User impactEnabled services can keep listening for SMS/call/command events even after the current agent interaction ends.
RecommendationOnly enable the specific services you need and use `systemctl --user disable --now ...` to stop them when no longer required.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
`controls-mobile-device-via-adb`, `unlocks-mobile-device-with-stored-pin`, `executes-sudo-commands`; `~/.config/paired/pin` purpose: `phone unlock PIN (mode 0600 enforced) — OPTIONAL`

The skill requests sensitive authority over the user's phone and host. These permissions are disclosed and mostly purpose-aligned, but they cross important account/device boundaries.

User impactInstalling and configuring the skill can give the agent practical control over phone actions and sensitive secrets such as a phone unlock PIN.
RecommendationUse only on your own host and phone, keep secret files mode 0600, avoid storing the PIN unless necessary, and review any sudo-related behavior before enabling it.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityMediumConfidenceHighStatusNote
SKILL.md
Configuration lives in `~/.config/paired/paired.conf` (phone MAC, adapter, trusted numbers list). Always read the config before acting; never hardcode phone identifiers.

Persistent configuration and allowlists determine which phone and numbers the agent will trust across tasks. If these files are changed, future actions can be redirected.

User impactA modified config or trusted-number list could cause actions to target the wrong phone or allow unexpected SMS/call destinations.
RecommendationProtect the config directory, review the trusted-numbers file regularly, and avoid sharing write access to these files.
Insecure Inter-Agent Communication
SeverityMediumConfidenceHighStatusConcern
SKILL.md
`network_access: bluetooth-LAN-only-plus-user-own-telegram` ... `~/.config/paired/gemini-keys.conf` purpose: `Gemini API key(s) for paired-respond — OPTIONAL, only if SMS LLM auto-reply is enabled`

The safety network boundary lists Bluetooth/LAN/Telegram, but the same artifact declares Gemini API keys for SMS LLM auto-reply. That external provider/data boundary is not clearly listed under external services or network access.

User impactIf SMS auto-reply is enabled, message content may cross an external AI-provider boundary that users may not realize from the network-access statement.
RecommendationExplicitly document Gemini as an external service, describe what SMS data is sent, and require clear user opt-in before enabling LLM auto-reply.