ClawHub

Telnyx Toolkit

Security checks across malware telemetry and agentic risk

Overview

The skill is a real Telnyx toolkit, but it bundles broad account, payment, backup, persistence, credential, and local privilege powers that need careful review before use.

Install only if you want a broad Telnyx automation bundle, not just docs. Before use, require confirmation for payment top-ups, account upgrades, GitHub/LinkedIn identity verification, backup uploads, cron jobs, public networking, and sudoers changes; avoid running the auto-installing push helpers or sourcing untrusted .env files in sensitive environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (182)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill declares only environment requirements but describes behaviors that clearly require shell, network, and file access across many companion tools. This capability/permission mismatch is dangerous because it can cause reviewers or runtime policy systems to underestimate what the skill can do, including reading local files, invoking scripts, and making outbound API calls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The top-level description markets the skill as a general Telnyx toolkit and documentation bundle, but the documented behavior extends into materially more sensitive areas such as GitHub token inspection, LinkedIn/OAuth-based upgrade flows, proof-of-work solving, Cloudflare tunneling, backups, and telephony control. This mismatch increases the chance that users authorize the skill under false assumptions, exposing credentials, external accounts, and infrastructure operations they did not expect.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill is described as focused on acquiring phone numbers, but it also exposes comment-management operations that are unrelated to that purpose. This unnecessary expansion of capability increases the chance an agent could access or modify ancillary account data outside the user's intended task scope, creating avoidable overreach and confusion.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill description says it configures voicemail, voice channels, and emergency services, but it does not clearly disclose that the file includes create, update, and delete operations affecting live telephony and E911 resources. That mismatch can cause an agent or user to invoke mutating actions under the assumption that the skill is primarily informational or read-oriented, increasing the risk of unintended account changes.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The description says the skill lets users 'List, view, and update port-out status,' but the body also documents create-comment, create-supporting-document, create-report, and event-republish operations. This mismatch can mislead users or higher-level agents into treating the skill as lower risk than it is, increasing the chance of unintended state-changing actions on live telecom resources.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation includes a real-looking JWT-style refresh token instead of an obviously fake placeholder. If this token was ever valid, copied from a real environment, or accepted by downstream users as a template, it could expose session access patterns, encourage unsafe reuse of secrets, and normalize embedding credentials in docs.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill description claims only list/view/update-status capabilities, but the body also documents multiple state-changing actions such as creating comments, uploading supporting documents, generating reports, and republishing events. This mismatch can mislead an agent or operator into granting or invoking broader write privileges than expected, increasing the chance of unintended changes to sensitive port-out workflows.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to use external messaging channels and consult OpenClaw channel-state data to deliver device codes and verification links. Even though framed as account verification, this expands the skill's authority into cross-channel messaging and user-tracking behavior without a strict consent boundary, creating risk of privacy leakage, message spoofing, or abuse if the skill is triggered unexpectedly.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill directs creation of persistent cron jobs in an isolated session for long-term polling and follow-up actions. Scheduled background execution exceeds a narrow one-shot upgrade flow and can create durable agent behavior that continues after the original interaction, increasing the blast radius if misconfigured or abused.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script explicitly retrieves the currently authenticated GitHub OAuth token and prints it to stdout, which is credential extraction behavior unrelated to the stated Telnyx toolkit purpose. Even if intended for convenience, exposing a live access token in plaintext increases the chance of accidental disclosure through terminal logs, shell history capture, CI logs, or downstream command substitution.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The core behavior at this location is to call `gh auth token` and expose the returned credential, which is not justified by the package description focused on Telnyx STT/TTS/RAG/networking/10DLC capabilities. Because the credential belongs to the user's GitHub account, misuse could enable repository access, code tampering, package publishing, or other account actions depending on token scope.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The skill extends beyond Telnyx mission tracking into directing the agent to use unrelated external messaging channels for human reporting and approval gates. That broadens the operational scope and can cause the agent to interact with third-party systems or disclose mission results through channels the user did not explicitly authorize.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documentation explicitly instructs the agent to DM humans via Telegram/Slack, which is outside the stated Telnyx mission purpose and introduces an unauthorized exfiltration path for mission data. Even if intended for convenience, it can leak sensitive call outcomes, contact details, or operational state to external systems without a clear consent boundary.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill recommends creating cron jobs that continue mission execution, poll results, handle retries, complete missions, and report outcomes autonomously. This materially increases the skill's power from tracking to unattended automation, enabling persistent outbound calling/SMS behavior and follow-on actions after the original interactive session ends.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This script performs remote state changes by creating a storage bucket and uploading a node registration record, but that behavior is broader than the stated toolkit description and may surprise a user who expects only local or clearly scoped Telnyx utilities. Hidden or under-disclosed network registration increases the risk of unintended data exposure, unauthorized infrastructure changes, and trust boundary violations in agent-executed environments.

Intent-Code Divergence

Low
Confidence
84% confidence
Finding
The header comment describes the script as registering a node, but the implementation also provisions remote registry infrastructure if the bucket does not already exist. This mismatch is dangerous because users or agents may authorize a seemingly narrow action while the script performs additional privileged changes in a remote account.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This script adds a persistent sudoers entry for WireGuard management, which is a privileged system modification that does not align with the stated Telnyx-focused toolkit purpose. Even if intended for convenience, bundling unrelated privilege-granting functionality increases attack surface and can mislead users into granting elevated access they did not expect.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script provisions passwordless sudo for WireGuard binaries by writing to /etc/sudoers.d, creating a persistent privileged capability for the target user. Passwordless sudo substantially lowers the barrier to privilege use, and if the user account or calling application is compromised, an attacker can manipulate network interfaces and routing without further authentication.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The comments frame the script as enabling autonomous WireGuard management, but the actual behavior is to grant a user a persistent passwordless sudo policy. That mismatch is security-relevant because it can cause reviewers or operators to underestimate the permanence and scope of the privilege change before running it.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script automatically executes `npm install --production` when `node_modules` is absent, which runs code from package lifecycle scripts and pulls whatever dependency versions are currently resolved in that directory. This creates a supply-chain and unexpected-code-execution risk because simply invoking the helper can trigger network access and execution of unreviewed third-party install scripts without explicit user consent.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script automatically runs `npm install --production` when `node_modules` is absent, which executes code from package lifecycle scripts and fetches unpinned remote content at runtime. In a security-sensitive helper that handles APNs credentials, this creates an unnecessary supply-chain execution path that can lead to arbitrary code execution if dependencies or registry resolution are compromised.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script sources a local .env file with Bash `source`, which executes arbitrary shell code rather than safely parsing key-value pairs. In a setup script, this expands the trust boundary from reading configuration to executing attacker-controlled commands if the .env file is modified or planted locally.

Intent-Code Divergence

Low
Confidence
90% confidence
Finding
The comments state that only 401/403 should indicate invalid credentials, but the code treats any 2xx-4xx response as success. This can incorrectly accept malformed requests, missing resources, or other client errors as proof that the API key is valid, causing misleading setup results and potentially masking authentication problems.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script's declared behavior is to archive and upload an OpenClaw workspace, which is outside the stated scope of a Telnyx toolkit and materially increases the blast radius of the tool. In a skill package, this creates a covert data-export capability that can collect unrelated local files and send them to remote storage.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The backup list includes broad workspace files and directories such as memory, knowledge, scripts, and skills, which may contain sensitive prompts, secrets, operational state, or proprietary data. The script compresses these local contents and uploads them to remote object storage, making this an exfiltration path for unrelated data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal