ClawHub
Back to skill

Security audit

Paired: Phone Agent

Security checks across malware telemetry and agentic risk

Overview

The skill is broadly aligned with controlling a user-owned phone, but it under-discloses several automatic SMS/call behaviors and lacks the promised trust gate on some SMS paths.

Install only after reviewing the automation paths. Keep trusted-numbers.conf empty until deliberate, avoid storing a phone PIN unless necessary, do not enable SMS/call watcher services until you understand their auto-reply and hangup behavior, and bind any voice service to localhost or firewall it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (49)

Dynamic attribute access via getattr()

Low
Category
Dangerous Code Execution
Content
dpath = _mac_to_device_path(apath, mac)
    dobj = bus.get_object(BLUEZ_SERVICE, dpath)
    diface = dbus.Interface(dobj, DEVICE_IFACE)
    method = getattr(diface, op)
    try:
        method(timeout=int(timeout * 1000))
    except dbus.DBusException as e:
Confidence
88% confidence
Finding
method = getattr(diface, op)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for r in raw_files:
            f.write("file '" + str(r) + "'\n")
    ref = VOICE_DIR / "reference.wav"
    subprocess.run(
        ["ffmpeg", "-y", "-hide_banner", "-loglevel", "error",
         "-f", "concat", "-safe", "0", "-i", str(list_file),
         "-ar", "24000", "-ac", "1", str(ref)],
Confidence
82% confidence
Finding
subprocess.run( ["ffmpeg", "-y", "-hide_banner", "-loglevel", "error", "-f", "concat", "-safe", "0", "-i", str(list_file), "-ar", "24000", "-ac", "1", str(ref)],

subprocess module call

Medium
Category
Dangerous Code Execution
Content
for n in norm:
                fh.write(f"file '{n}'\n")

        subprocess.run(
            ["ffmpeg", "-y", "-hide_banner", "-loglevel", "error",
             "-f", "concat", "-safe", "0", "-i", manifest,
             "-ar", "24000", "-ac", "1", args.output],
Confidence
86% confidence
Finding
subprocess.run( ["ffmpeg", "-y", "-hide_banner", "-loglevel", "error", "-f", "concat", "-safe", "0", "-i", manifest, "-ar", "24000", "-ac", "1", args.outp

subprocess module call

Medium
Category
Dangerous Code Execution
Content
" --es par2 '" + safe_par2 + "'",
    ]
    try:
        proc = subprocess.run(cmd, capture_output=True, text=True, timeout=15)
    except subprocess.TimeoutExpired:
        return False, "intent broadcast timeout"
    except OSError as e:
Confidence
99% confidence
Finding
proc = subprocess.run(cmd, capture_output=True, text=True, timeout=15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"BTCALL_TIMESTAMP": datetime.now().strftime("%Y%m%dT%H%M%S"),
            })
            try:
                p = subprocess.run(
                    self.hook_cmd, shell=True, env=env, timeout=10,
                    stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
                rc = p.returncode
Confidence
96% confidence
Finding
p = subprocess.run( self.hook_cmd, shell=True, env=env, timeout=10, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"BTSMS_PHONE": self.phone,
        })
        try:
            subprocess.Popen(
                self.hook_cmd, shell=True, env=env,
                stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,
            )
Confidence
98% confidence
Finding
subprocess.Popen( self.hook_cmd, shell=True, env=env, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, )

Tainted flow: 'cmd' from os.environ.get (line 37, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
pw = os.environ.get("SUDO_PASS")
    cmd = ["sudo", "-S" if pw else "-n", *args]
    stdin_input = (pw + "\n") if pw else None
    p = subprocess.run(cmd, input=stdin_input, capture_output=True, text=True)
    return p.returncode, (p.stdout + p.stderr).strip()
Confidence
78% confidence
Finding
p = subprocess.run(cmd, input=stdin_input, capture_output=True, text=True)

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The docstring asserts that voice data is never transmitted anywhere, yet the generated configuration includes service endpoints for voice-processing systems (`VOXCPM_URL`, `XTTS_URL`). Even if these are localhost by default, the statement is misleading and may cause users to underestimate privacy risk if the services are remote, containerized, or later reconfigured.

Intent-Code Divergence

High
Confidence
87% confidence
Finding
The comments describe a Telegram draft/alerting workflow, but the implementation also sends real SMS replies automatically via a local helper. That mismatch can cause operators to approve or deploy the skill believing it is notification-only when it actually performs external actions on behalf of the user, increasing the chance of unintended communications and trust abuse.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The supposed sender authorization check is broken because ALLOWED_SENDER_ID is a literal placeholder string rather than a loaded runtime value. In practice this can cause the protection to fail closed or behave unexpectedly, and in a legacy design already parsing commands from untrusted session logs, any authorization bug around command origin is highly dangerous.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The docstring says the tool aborts when the phone is locked, but the implementation supports --auto-unlock using a stored PIN. This mismatch is dangerous because it understates the tool's capability to bypass the device lock state, which can mislead reviewers, operators, or higher-level agents into granting it more trust than warranted.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill advertises a very broad trigger set including common phrases such as "pause", "next track", "Bluetooth", and "BT", which increases the chance of accidental invocation or prompt-trigger collisions in unrelated conversations. In a skill that can send SMS, place calls, unlock a phone, and control persistent services, unintended activation can lead to privacy-impacting reads or even real-world actions if downstream confirmation logic is bypassed or misapplied.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup helper performs active capability probes against a connected phone, including reading one SMS from the inbox, querying notifications, and pushing then deleting a file on device storage, without an explicit consent prompt describing these sensitive actions. In a first-run setup tool, silently exercising data-access and file-operation capabilities can expose private information and violate user expectations, especially when '--check' still performs these probes once a device is connected.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Reading a sudo password from the SUDO_PASS environment variable is insecure because environment variables are commonly exposed to child processes, shell history/workflows, crash dumps, debugging tools, and sometimes process inspection depending on the environment. This script also normalizes that pattern without an explicit runtime warning, increasing the chance that users will adopt unsafe credential handling for privileged operations.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This function provides a silent SMS-sending path that bypasses normal user awareness if the connected device permits it, enabling covert messaging from the phone. In the context of an agent skill that can control a user device over ADB, this creates clear potential for abuse, fraud, exfiltration, or impersonation even if some devices block it.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The notifications function extracts active notifications, including titles and message text, which can expose highly sensitive personal data such as one-time codes, private messages, and app activity. In this skill context, ADB access plus notification scraping materially increases surveillance and credential-theft risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Capturing the device screen and saving it locally can collect credentials, messages, financial information, and other sensitive on-screen content without an in-band disclosure to the device user. Because the file is written to local disk, the exposure persists beyond the immediate action and broadens the breach surface.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The OBEX receive agent's AuthorizePush method unconditionally accepts incoming Bluetooth file transfers and returns a writable path without any user confirmation, device allowlist check, or policy gate. This enables nearby paired or otherwise authorized senders to drop files onto disk automatically, which can facilitate storage abuse, social-engineering payload delivery, or placing untrusted content where users may later open it.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
run_receive_agent registers a foreground OBEX agent that listens for and saves incoming files to ~/Downloads/bluetooth, effectively enabling unattended receipt of files once started. In the context of a Bluetooth skill, this increases risk because the feature is specifically exposed for nearby-device interaction, so automatic acceptance of untrusted inbound content is more dangerous than in a purely local-only utility.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function exports the entire paired phone's address book to a local file path under ~/Downloads without any in-function user consent, warning, or access-control check. In a Bluetooth skill context, contacts are highly sensitive personal data, and silent disk persistence increases the risk of covert collection, later exfiltration, or unintended exposure to other local users/processes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code lists message metadata from the paired phone's MAP inbox without any user-facing disclosure or authorization gate in the function. Even without message bodies, metadata such as sender, timestamps, and folder paths is sensitive and can reveal communication patterns, making silent retrieval a meaningful privacy violation.

Missing User Warnings

High
Confidence
97% confidence
Finding
The function can send SMS messages through a paired phone over MAP with no built-in confirmation, approval, or policy enforcement. This is a high-risk action because it enables unauthorized outbound messaging from the victim device, which can cause financial cost, impersonation, social-engineering abuse, and reputational harm if invoked by an untrusted workflow or plugin.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This module exposes direct primitives to place calls, answer or hang up calls, and send SMS over the system D-Bus without any built-in user confirmation, policy check, authorization gate, or rate limiting. In the context of a Bluetooth skill that can act on a paired phone, this can enable unauthorized premium-rate calling, silent SMS transmission, or call interference if higher-level skill code invokes these functions on untrusted or accidental input.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The /synth endpoint accepts a user-controlled output path and writes server-side files to that location with no path restriction, sandboxing, or filename validation. An attacker can overwrite or create files anywhere the service account can access, including application data, temporary files, or sensitive system/user files, which can lead to denial of service, data corruption, or privilege abuse depending on deployment permissions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises automatic bridging of incoming SMS, missed calls, and notifications into agent context without prominently warning that highly sensitive personal data will be ingested and potentially processed by autonomous logic. In the context of a phone-control skill, this creates a real privacy and data-minimization risk because users may enable broad access without understanding the scope of collection or downstream actions the agent may take.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal