ClawHub
Back to skill

Security audit

Fraud Call Identification Analysis Tool | 诈骗电话识别分析工具

Security checks across malware telemetry and agentic risk

Overview

This skill is a cloud-backed fraud-call analyzer, but it silently creates or reuses an identity, stores tokens locally, and has mismatched media-handling behavior that users should review before installing.

Install only if you are comfortable sending call content, local media files, or URLs to the publisher's cloud service and having reports linked to a persistent local identity. Ask the publisher to document retention, deletion, the local SQLite/token storage location, and why video-oriented code is included in a fraud-call skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Memory PoisoningPersistent Context Injection, Context Window Stuffing, Memory Manipulation
Findings (25)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises substantial capabilities including shell execution, network access, local file read/write, and environment access, yet declares no permissions or trust boundaries. That mismatch weakens reviewability and informed consent, making it easier for risky behaviors such as local persistence or remote data transfer to occur without clear operator awareness.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is call-fraud analysis, but the observed behavior includes remote account registration/login, local token or identity persistence, historical report retrieval, and generic file/video handling beyond the claimed scope. This is dangerous because users may provide sensitive call data under a narrow trust assumption while the skill silently performs broader identity-linked cloud operations and local storage.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The implementation accepts either a remote URL or a local file, validates file extensions against supported formats, and uploads the content as a file under a 'videoUrl'/file workflow, which conflicts with the skill's declared purpose of analyzing incoming call content. This mismatch can mislead users into providing richer media than expected and broadens the data exposure surface to unnecessary local file or remote media upload.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The error text explicitly tells the user to provide a local or network video path, directly contradicting the skill description about incoming call content. Misleading prompts are security-relevant here because they can induce users to submit unrelated, potentially sensitive media under false expectations about what the skill processes.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The implementation materially diverges from the declared purpose of fraud-call identification: it accepts MP4 video input, prints 'analyzing video', and exposes a video-history listing function. This is dangerous because users and higher-level agents may grant access or route sensitive call-analysis tasks based on the manifest, while the code actually performs different networked processing, creating a trust-boundary violation and increasing the risk of unintended data handling or misuse.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
This file exposes broad generic network and CRUD capabilities (add, edit, delete, and arbitrary GET/POST/PUT/DELETE wrappers) that are not constrained to the declared fraud-call analysis purpose. In an agent skill context, this materially expands the attack surface: other parts of the skill can use this helper to reach arbitrary endpoints or modify remote resources, enabling data exfiltration or unauthorized side effects beyond passive analysis.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The add, edit, and delete methods provide direct remote modification primitives without any visible restriction on destination, operation type, or business context. For a skill whose stated function is call-fraud identification, such write/delete capabilities are unjustified and could be abused by compromised skill logic or prompt-influenced flows to alter or destroy remote data.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The generic http_post/http_put/http_get/http_delete wrappers allow arbitrary network access and can be repurposed for unintended external communication. In a fraud-call analysis skill, this is broader than necessary and increases the risk of exfiltration, command-and-control style callbacks, or use as a proxy to access internal or sensitive services depending on runtime network reachability.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This utility performs implicit account creation/phone login against an external service, retrieves tokens, and persists them locally, which is unrelated to a fraud-call analysis skill's stated purpose. In context, this creates hidden identity side effects and outbound authentication behavior that could register users, link identities, or reuse stored credentials without informed user action.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code derives an internal open-id by reading workspace environment, local files, and database state, then reuses or creates a default identity. For a call-analysis skill, this is unnecessary hidden identity discovery that can silently bind actions to local state and leak or misuse unrelated workspace identities.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The auto-trigger phrases for historical report access are broad common-language terms, so normal conversation could unintentionally invoke cloud report listing. In a skill that associates reports with an internal identity, unintended triggering can expose sensitive historical analysis metadata or cause unexpected remote queries.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill says uploaded attachments or media will be automatically saved locally, but it does not clearly warn the user about this retention behavior. Automatic local persistence of potentially sensitive call recordings, images, or videos increases privacy and data-handling risk, especially if files remain on disk after processing.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill mandates direct cloud API access for historical reports without clearly warning users that identity-linked report data will be fetched from a remote service. This creates a privacy and transparency issue because users may not realize their prior report metadata is being retrieved from the cloud based on an internal identity association.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The workflow describes silently reusing or creating a default local user identity and associating future reports with it, without a clear user-facing warning. Hidden identity creation and persistence can surprise users, create cross-session linkage, and expand the privacy impact of otherwise one-off analysis tasks.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The tool accepts sensitive call audio, URLs, or call text and passes the material into downstream analysis via skill.get_output_analysis without giving users a clear disclosure about external transmission, retention, or processing scope. In an anti-fraud skill, call content can contain highly sensitive personal, financial, or authentication data, so silent forwarding to a backend or third party creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill reads arbitrary local file contents into memory and sends them to the analysis service, or forwards a user-supplied remote URL, without any user-facing warning in this code path. For a security-themed skill, silent transmission of local media or third-party URLs increases privacy and data-handling risk because users may not realize their files or external resources are being sent off-box.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script defines a hidden --api-key parameter using argparse.SUPPRESS, which allows credential-bearing network use without visible help text or clear user disclosure. Hidden credential inputs reduce transparency and auditability, making it easier for a caller or wrapper to pass secrets into an unexpected code path and harder for users to understand that external authenticated requests may occur.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The utility reads a sensitive identity value from data/smyx-api-key.txt without any user-facing disclosure or consent flow. This can silently harvest or repurpose a workspace secret/identifier for network actions, which is especially risky in a skill whose declared function is content analysis rather than identity management.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The _get_or_create_user helper transmits openId, mobile, registration, and source fields to a remote endpoint without transparent disclosure to the user. This hidden transmission of identifying data exceeds what is expected for scam-call text analysis and can expose personal or pseudo-personal identifiers to an external service.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The generic HTTP wrapper automatically attaches authentication headers and merges contextual identity data into outbound requests without user-facing disclosure. In this skill context, that means analysis inputs may be coupled with tokens, tenant codes, and usernames and sent externally in a way the user would not reasonably expect.

External Transmission

Medium
Category
Data Exfiltration
Content
"source": ConstantEnum.DEFAULT__SKILL_HUB_NAME
            }
            try:
                _response = requests.post(_url, json=_data)
                if _response.status_code == 200:
                    _response_json = _response.json()
                    if _response_json and _response_json.get("success"):
Confidence
95% confidence
Finding
requests.post(_url, json=

Context Window Stuffing

Medium
Category
Memory Poisoning
Content
ConstantEnum.DEFAULT__SKILL_HUB_NAME and data.setdefault('skillHubName',
                                                                     ConstantEnum.DEFAULT__SKILL_HUB_NAME)
            ConstantEnum.DEFAULT__SKILL_PLATFORM_NAME and data.setdefault('skillPlatform',
                                                                          ConstantEnum.DEFAULT__SKILL_PLATFORM_NAME)
            if current__user_name:
                data.setdefault('pnaUserName', current__user_name)
Confidence
84% confidence
Finding
Automatically injecting pnaUserName into every outbound request propagates identity context beyond the minimum necessary. In an analysis skill, this increases privacy risk and creates hidden coupling between user identity and arbitrary network requests.

Unvalidated Output Injection

High
Category
Output Handling
Content
try:
            # 执行命令
            # result = subprocess.run(
            #     cmd,
            #     capture_output=True,
            #     text=True,
Confidence
95% confidence
Finding
subprocess.run( # cmd, # capture_output

Hidden Instructions

High
Category
Prompt Injection
Content
|---|---|
| 📚 文档读取 | 仅在需要时读取参考文档,保持上下文简洁 |
| 📁 格式支持 | 音频要求:支持 mp3/wav/m4a 格式,最大 10MB |
| 🧑‍⚖️ 结果性质 | 分析结果仅供反诈参考,不能替代警方正式判定,如遇可疑诈骗请及时报警 |
| 🚫 脚本限制 | 禁止临时生成脚本,只能用技能本身的脚本 |
| 🌐 网络地址 | 传入的网路地址参数,不需要下载本地,默认地址都是公网地址,api 服务会自动下载 |
| 📜 报告输出 | 当显示历史分析报告清单的时候,从接口返回 json 数据中提取字段  作为超链接地址,且自动转化为如下 Markdown |
Confidence
90% confidence
Finding

YARA rule 'agent_skill_mcp_tool_poisoning_metadata': MCP/tool metadata poisoning indicators in tool schemas or skill manifests [agent_skills]

High
Category
YARA Match
Content
---
name: "fraud-call-identification-analysis"
description: "Analyzes incoming call content for multi-dimensional risk, intelligently identifies scam scripts, determines if a call is fraudulent, assesses risk levels, and generates an Anti-Fraud Guardian analysis report. | 诈骗电话识别分析工具,针对来电通话内容进行多维度风险分析,智能识别诈骗话术,判断是否为诈骗电话并评估风险等级,输出反诈卫士分析报告"
version: "1.0.6"
license: "MIT-0"
---
Confidence
84% confidence
Finding
description:; ‍

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal