Back to skill

Security audit

graineai

Security checks across malware telemetry and agentic risk

Overview

PollyReach is a coherent phone-call skill, but it handles call recordings, transcripts, phone numbers, and ongoing call answering without enough privacy and consent guardrails.

Install only if you are comfortable routing phone-call tasks, phone numbers, transcripts, summaries, and recording links through PollyReach. Before using it in production or business settings, add your own policy for consent, caller disclosure, call recording legality, retention, access controls, and stopping any scheduled polling.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation exposes a call-recording capability (`record: true`) without any warning about legal consent, jurisdictional restrictions, retention, or notification requirements. In a telephony skill, omission of these safeguards can lead downstream users to implement recording in ways that violate privacy laws or organizational policy.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The examples explicitly include customer-identifying fields such as customer_name, policy_number, phone numbers, and webhook/API destinations, but provide no guidance on minimizing, redacting, or protecting personal data in transit. In documentation for agent integrations, this can normalize unsafe deployment patterns and lead users to send unnecessary PII to third-party endpoints without consent, encryption review, or data handling controls.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The outbound call examples show call recording enabled and attach customer metadata to requests without any notice about consent, retention, or jurisdiction-specific recording laws. This is dangerous because users may copy these examples into production and inadvertently collect or transmit regulated personal data without appropriate legal basis or user disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The webhook example includes highly sensitive call data such as phone numbers, full transcripts, recording URLs, organization identifiers, and provider call metadata being delivered to a user-controlled endpoint without any warning about privacy, consent, retention, or secure handling. In a telephony/AI calling context, this increases the risk of inadvertent exposure of personal data, call content, and recordings if integrators implement webhooks insecurely or without understanding their compliance obligations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.