ClawHub

Voice Reminder

Security checks across malware telemetry and agentic risk

Overview

This voice reminder skill mostly matches its purpose, but it can place real outbound calls through a hardcoded service while using unsafe background shell scheduling and retaining phone/reminder data without clear controls.

Install only if you trust the hardcoded external call service and account identifiers, and require manual confirmation for every recipient, message, and scheduled time. Avoid delayed reminders until the shell-based scheduler is replaced, and do not use this with sensitive phone numbers or private message content unless data retention is documented and controlled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (7)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if delay_seconds > 0:
        cmd = f"(sleep {delay_seconds} && {python_exe} {main_script} '{contact}' '{phone_content}' 0) &"
        subprocess.Popen(cmd, shell=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)
        return True
    else:
        subprocess.run([python_exe, main_script, contact, phone_content, "0"])
Confidence
99% confidence
Finding
subprocess.Popen(cmd, shell=True, stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill exposes sensitive capabilities—shell execution, file access, and network use—yet declares no permissions or user-facing constraints. In this context, the skill can place outbound calls and access contact data, so the lack of explicit permission gating weakens reviewability and increases the risk of unauthorized actions or abuse.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The file contains a persistent history of personally identifiable information, including names, phone numbers, reminder text, and timestamps. For a skill whose stated purpose is sending outbound calls or reminders, retaining this data in a durable log is not obviously necessary and creates privacy, surveillance, and unauthorized disclosure risk if the file is accessed, copied, or reused.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The trigger scope is overly broad because it activates on general phrases like '通知他们' when the system merely infers that phone notification is appropriate. For an outbound-calling skill, ambiguous activation can cause unintended calls, disclosure of message content to the wrong recipient, or abuse through prompt/context confusion.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script transmits a recipient phone number and message content to an external third-party service, and it also contains hardcoded personal contacts and account identifiers. In the context of an outbound-calling skill, some transmission is expected, but the lack of explicit consent, transparency, validation of destination, and secret management increases privacy and misuse risk if the skill is triggered unexpectedly or used with sensitive content.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill can schedule an outbound phone action immediately or in the background without any confirmation, authorization check, or visible warning to the user. In an agent context, this increases the risk of misuse, social-engineering-triggered calls, or silent execution of unwanted external actions, especially when combined with the shell-injection flaw on the delayed path.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code persists phone numbers, message content, and timestamps into a JSON file without any notice, minimization, access control, or retention policy. This creates privacy and data-exposure risk if the file is read by other local users, included in backups, or later leaked from the host.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal