Back to skill
Skillv1.0.0
VirusTotal security
Phone Caller · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 29, 2026, 4:29 AM
- Hash
- 15173782fe428dddb7f54ba1398e32c885514d47ff4c29ca77c7edb1c29ef8fe
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: phone-caller Version: 1.0.0 The skill is suspicious due to multiple vulnerabilities. The most critical is the potential for shell injection in `scripts/server.py`. The `send_summary` function uses `subprocess.run` to execute `imsg` with a `--text` argument containing GPT-generated summary and user-influenced transcript. This creates an RCE risk if the `imsg` command is vulnerable to argument injection or if the GPT model can be prompted to generate shell metacharacters. Additionally, the skill is vulnerable to prompt injection against the GPT model in `scripts/interactive_call.py` and `scripts/server.py`, where user-controlled `persona` and `opening` arguments are directly used as prompts, potentially allowing manipulation of the AI's behavior. The skill also sends sensitive conversation data (summaries and transcripts) via iMessage to a configured `MASTER_PHONE`.
- External report
- View on VirusTotal