ClawHub

Alibabacloud Vms Smart Call By Tts

Security checks across malware telemetry and agentic risk

Overview

This skill has a legitimate voice-call purpose, but it under-discloses real-call, credential, installer, and persistence risks enough that users should review it before installing.

Install only after reviewing the call flow, credential setup, and installer script. Use least-privilege Aliyun credentials limited to VMS, test only with dedicated numbers, require a final confirmation before every call, avoid unrelated ECS/VPC/RDS setup, and do not run the CLI installer unless you are comfortable with its unverified download and persistent PATH changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The guide substantially expands beyond the smart voice call skill into broad Aliyun account setup, multiple auth modes, ECS operations, profile management, proxying, and unrelated service/plugin usage. In an agent skill context, this increases attack surface and can normalize over-privileged cloud access that is unnecessary for making VMS smart calls, making misuse or accidental overreach more likely.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The 'services you need' section tells users to install plugins for ecs, vpc, and rds, which are unrelated to a smart voice call skill. This can mislead operators into enabling broader cloud tooling than necessary and blur the boundary of what the skill should access.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script claims it downloads a signed tarball, but it does not verify any signature, checksum, or pinned digest before extracting network-supplied content directly into a local bin directory. Streaming unverified remote content into tar increases supply-chain risk and allows a compromised CDN, MITM in a broken TLS environment, or malicious upstream artifact to place attacker-controlled files on disk.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The installer persistently modifies the user's shell startup files to prepend $HOME/.local/bin to PATH, which creates lasting environment changes beyond the immediate need to run the skill. In an agent or automation context, this broadens the script's scope and can influence future shell sessions and unrelated commands, especially if later files are dropped into that directory.

Vague Triggers

Medium
Confidence
79% confidence
Finding
Broad trigger phrases such as everyday requests to 'call someone' or 'voice reminder' can cause unintended activation of a skill that initiates real outbound phone calls. In this context, accidental invocation is materially risky because it can contact real recipients and disclose AI-generated message content without a deliberate opt-in step.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill description emphasizes convenience but does not clearly warn that successful execution places a real outbound call to a matched contact and will speak LLM-generated content to that person. That omission raises the risk of users triggering sensitive communications without appreciating the privacy and real-world consequences.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The acceptance criteria normalize initiating real outbound voice calls but do not require any user-facing consent, warning about potential telephony charges, or privacy notice about contacting matched address-book recipients. In a skill that automatically matches contacts and generates call content via LLM, this omission increases the risk of unintended calls to real people, surprise billing, and disclosure of sensitive message content to the wrong recipient.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide shows commands that place access keys directly on the command line and persist them into CLI configuration without an adjacent warning about shell history and on-disk secret storage. In shared shells, terminals, CI logs, or recorded sessions, these secrets can be exposed and then used to compromise the cloud account.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The environment variable examples export cloud credentials but do not warn that environment variables may be inherited by subprocesses, exposed through debugging, leaked in CI/CD logs, or inspected on some systems. For an agent-driven skill, this is especially risky because multiple tools and commands may run in the same environment.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The verification workflow instructs operators to invoke a real outbound voice-call API using active AK credentials and a free-form natural-language intent, but it does not clearly warn that this action may place an actual call, incur charges, or contact a real recipient from the address book. In this skill’s context, the risk is elevated because the product is specifically designed to auto-match contacts and generate call content via LLM, making unintended real-world actions more likely during testing or verification.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Debug mode prints the StringToSign and request target, which can expose sensitive business parameters and signed request metadata to terminal logs, CI logs, or shared observability systems. In a skill that places voice calls based on natural-language input, those parameters may contain personal contact data, message content, or temporary token-derived request details, increasing privacy and credential-handling risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script appends exports to shell startup files without any user-facing warning, consent, or prompt. Silent persistence is risky in a skill installer because it surprises users, changes future shell behavior, and can be abused to ensure attacker-controlled binaries remain preferred on PATH.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal