ClawHub

Phone Caller

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it advertises, but it can place real phone calls while exposing call content through broad, weakly controlled data-sharing paths.

Install only if you are comfortable giving it Twilio, ElevenLabs, OpenAI, and local messaging access and letting it contact real people. Before use, add explicit confirmation before each call and before sending summaries, verify MASTER_PHONE, authenticate Twilio webhook requests, avoid sensitive call content, review call-recording/transcription consent rules, and clean up or disable /tmp logs, tmpfiles.org hosting, cron jobs, and automatic iMessage summaries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
Findings (12)

Direct flow: open (file read) → requests.post (network output)

High
Category
Data Flow
Content
with tempfile.NamedTemporaryFile(suffix=".mp3", delete=False) as f:
        f.write(audio_bytes)
        tmp_path = f.name
    resp = requests.post("https://tmpfiles.org/api/v1/upload", files={"file": open(tmp_path, "rb")})
    resp.raise_for_status()
    url = resp.json()["data"]["url"].replace("tmpfiles.org/", "tmpfiles.org/dl/")
    return url
Confidence
98% confidence
Finding
resp = requests.post("https://tmpfiles.org/api/v1/upload", files={"file": open(tmp_path, "rb")})

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly requires sensitive capabilities including environment secrets, network access, shell execution, and file writes, but it does not declare permissions or prominently warn users about them. This weakens review and consent boundaries, making it easier for a caller to trigger actions involving credentials, external services, and local persistence without informed approval.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior omits materially sensitive side effects: post-call transcript/summary analysis, automatic iMessage transmission to MASTER_PHONE, and storage of logs in /tmp. That mismatch can mislead users into authorizing a phone-call skill without realizing conversation content may be retained and forwarded to a third party or another device.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Uploading call audio to tmpfiles.org is not required by the stated purpose and expands data exposure to an unnecessary external party. In a phone-calling skill, message audio may include sensitive user instructions, personal details, or business communications, making the context more dangerous than a generic file-sharing utility.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The code compiles a transcript-derived summary of the call and sends it via iMessage to MASTER_PHONE, which is an additional data-sharing channel not described in the skill metadata. This creates a covert or at least undisclosed exfiltration path for potentially sensitive call contents, names, times, and outcomes.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Invoking a local iMessage CLI to forward call summaries expands the skill's capabilities beyond placing and managing phone calls, and it does so using local host messaging access. In context, that makes the skill more dangerous because it can silently relay conversation-derived information to another endpoint outside the expected Twilio/ElevenLabs flow.

Vague Triggers

High
Confidence
90% confidence
Finding
The trigger phrases are broad, common terms like 'call', 'phone', 'reserve', and 'schedule a call', which increases the chance of accidental invocation during normal conversation. In this skill context, accidental activation is especially risky because invocation can lead to outbound calls, external service use, and disclosure of conversation-derived summaries.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill description does not clearly warn, near the interactive-mode overview, that call summaries are automatically transmitted via iMessage after the call. Because phone calls may contain personal, financial, or sensitive scheduling details, undisclosed automatic forwarding materially increases privacy and consent risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This line confirms that a GPT-generated summary is automatically sent to the number in MASTER_PHONE, but the skill does not frame this as a sensitive exfiltration path requiring explicit consent. In context, this is more dangerous because call content may include private speech from third parties who have not consented to onward transmission or AI summarization.

Missing User Warnings

High
Confidence
96% confidence
Finding
The code sends audio/message content to a third-party host without any explicit disclosure, confirmation, or consent mechanism. Users may believe the message is only used for TTS and calling, while in reality it is also published to another service, creating a privacy and confidentiality issue.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill sends spoken content and transcript-derived text to external providers including ElevenLabs and OpenAI, then forwards a summary by iMessage, without any visible disclosure, consent, or privacy controls. Because phone calls can contain personal or sensitive information, undisclosed third-party processing materially increases privacy and compliance risk.

Session Persistence

Medium
Category
Rogue Agent
Content
Use macOS cron for timed calls:
```bash
# Add to crontab — this example calls at 8:45 AM
crontab -e
45 8 24 2 * python3 /path/to/scripts/one_way_call.py --to "+1..." --text "Good morning!" >> /tmp/call.log 2>&1
```
Confidence
84% confidence
Finding
crontab -e

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal