ClawHub

Telnyx Freemium Upgrade

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent Telnyx-upgrade purpose, but it grants the agent sensitive GitHub-token handling and account-upgrade authority with overly automatic and persistent behavior.

Review carefully before installing. Use this only if you explicitly want an agent to help upgrade a Telnyx account and you trust the Telnyx verification endpoint with GitHub or LinkedIn identity data. Require confirmation before any upgrade submission, scope refresh, cron creation, or cross-channel message; avoid logging raw GitHub tokens; and review the companion telnyx-bot-signup skill separately.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill instructs the bot to inspect the user's last active channel and send verification codes over Telegram, Slack, or SMS, extending its reach into unrelated messaging surfaces. That broadens data exposure and creates a risk of leaking sensitive codes or account workflow details to the wrong destination, especially if channel state is stale or compromised.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill sets up persistent cron jobs to continue polling and later announce results, which exceeds a one-shot upgrade operation and creates ongoing autonomous behavior. Persistent background execution increases risk of unintended network activity, stale-context actions, and repeated disclosure of account status after the original user interaction has ended.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script’s behavior is materially unrelated to the declared Telnyx freemium-to-professional upgrade purpose: it inspects local GitHub CLI authentication state, token type, scopes, and username. In a skill that should operate on Telnyx account data, probing unrelated GitHub credentials is a strong indicator of covert credential discovery or environment reconnaissance, which increases risk because users would not reasonably expect GitHub token inspection here.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script calls `gh auth token` to retrieve the user’s local GitHub token and then classifies it by prefix, compatibility, and scopes, despite no legitimate connection to upgrading a Telnyx account. Even though it only emits a prefix rather than the full token, accessing the token at all is sensitive behavior and can be easily repurposed for exfiltration or privilege reconnaissance.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The header comments claim the script assesses compatibility for a Telnyx upgrade, but the implementation actually audits GitHub CLI authentication details. This mismatch is dangerous because misleading documentation can hide sensitive behavior from reviewers and users, reducing the chance that inappropriate credential access is noticed before execution.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The script’s stated behavior is to extract and print a GitHub OAuth token, which is unrelated to the declared skill purpose of upgrading a Telnyx account. This mismatch strongly suggests hidden credential-harvesting behavior: if executed by an agent or user, it exposes a reusable GitHub secret that could enable repository access, code tampering, or lateral movement depending on token scope.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code actively retrieves a GitHub credential via `gh auth token` and exposes it, despite no legitimate connection to a Telnyx account tier upgrade workflow. In this skill context, the capability is unjustified and dangerous because it enables secret extraction from the local environment under false pretenses.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The file header openly describes a token-extraction utility, which contradicts the skill’s declared Telnyx-upgrade purpose and signals deceptive packaging. While comments alone do not execute, this discrepancy is security-relevant because it helps conceal credential theft functionality inside an unrelated skill and increases the likelihood of successful social engineering.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script is explicitly designed to refresh GitHub CLI scopes (`user,read:org`) and obtain device-flow authorization data, which is unrelated to the declared purpose of upgrading a Telnyx account. In a skill whose manifest claims Telnyx billing/account-tier automation, requesting unrelated GitHub identity and organization-read permissions is a strong indicator of credential harvesting or unauthorized account access expansion.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code launches `gh auth refresh --scopes user,read:org` in device-flow mode, captures the device code, and returns it in JSON so another component or operator can prompt the user to authorize expanded GitHub access. That creates a ready-made pathway to socially engineer or coerce users into granting GitHub permissions unrelated to Telnyx operations, potentially exposing user profile and organization membership data and enabling broader follow-on compromise.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The header comments state that the script refreshes GitHub CLI scopes and returns a device code for manual or cross-channel authorization, directly contradicting the stated Telnyx-upgrade purpose of the skill. Such mismatched intent is dangerous because it helps conceal unrelated credential-access behavior inside a seemingly benign operational skill, increasing the likelihood that users or reviewers will approve it without recognizing the true access being sought.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly allows silent proactive upgrade attempts on first API interaction or skill load without a clear user warning in some branches. Initiating account-tier changes and identity verification flows without prior consent is unsafe because it can trigger external side effects, consume one-time verification opportunities, and surprise users with actions tied to their GitHub or LinkedIn identities.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script retrieves and processes the user’s GitHub CLI token without any runtime disclosure, prompt, or consent mechanism. In the context of a Telnyx upgrade skill, silently touching unrelated local credentials is especially suspicious because users would not expect GitHub token access, making covert reconnaissance more dangerous.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script accepts a GitHub OAuth access token and forwards it to a remote Telnyx endpoint for evaluation, but it provides no strong user warning, scope validation, or safer alternative flow before transmitting third-party credential material off-host. Sending bearer credentials to another service is dangerous because the token may grant repository or account access far beyond the narrow upgrade purpose, and compromise or misuse of the receiving service would expose the user's GitHub account.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script prints the raw GitHub OAuth token directly to stdout, creating immediate risk of credential exposure through logs, terminal history capture, agent transcripts, or downstream command substitution. Because the token is sensitive and potentially broadly scoped, simple execution can leak access without any additional exploit steps.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal