ClawHub

Sip Voice Call Control

Security checks across malware telemetry and agentic risk

Overview

This is a real Telnyx voice assistant, but it exposes a persistent phone-accessible service that can run local tools, search files, change reminders, and send messages with limited safeguards.

Install only if you intentionally want a persistent, phone-accessible assistant with local tool authority. Before use, restrict who can call, add webhook validation and a caller PIN or allowlist, disable or gate send_message and reminder deletion, fix shell execution to use argument arrays, use a scoped Telnyx key, limit WORKSPACE_DIR to non-sensitive files, and review or remove local gateway token access and automatic tunnel/app setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill clearly requires environment access for `TELNYX_API_KEY` and network access for Telnyx webhooks, inference, and optional tunneling, yet these capabilities are not explicitly declared as permissions. This weakens user and agent awareness of the skill's trust boundary and can lead to underinformed deployment of a network-facing service.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior extends well beyond simple SIP voice control into local file reads, workspace memory search, cron/reminder management, external messaging, weather fetches, and infrastructure changes such as Cloudflare tunnel and Telnyx app provisioning. This mismatch is dangerous because users may authorize a seemingly narrow voice skill without realizing it can access local data, execute local actions, and expose services externally.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The documentation instructs agents to start and manage a persistent background process using `nohup`, `ps`, `pkill`, and shell commands. That expands the skill from a bounded voice integration into host process management, increasing the chance of unintended persistence, operational drift, and abuse on shared systems.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Automatic Cloudflare tunnel creation exposes a local service to the internet and materially changes the attack surface, yet this is not central to the stated skill purpose and is only lightly disclosed. In the context of a voice-call control skill, externally publishing a local webhook endpoint makes any implementation flaws or misconfigurations significantly more dangerous.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill exposes capabilities well beyond basic Telnyx voice call control, including reminder management, memory search, weather lookup, and especially outbound messaging. In a voice-call context, this materially expands the attack surface because a caller can trigger actions in other systems through speech, creating a confused-deputy risk and unexpected privilege use.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The file imports and uses child_process/exec to run local CLI and shell commands, then builds command strings with user-influenced values such as reminder messages, times, search terms, and file paths. This creates a direct command-injection and arbitrary local command execution risk, which is far more dangerous than the stated voice-control purpose justifies.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill reads workspace files and home-directory configuration to load personalization and gateway authentication details unrelated to minimal voice call control. In practice, this grants the voice agent access to local sensitive data and tokens that can be used to pivot into other systems, increasing the blast radius if the call flow or model behavior is abused.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The send_message tool allows a phone caller, via model-mediated tool invocation, to trigger outbound messages across Slack, WhatsApp, Telegram, Signal, Discord, and iMessage through a privileged local gateway. This is a high-risk cross-channel action because it can be abused for spam, impersonation, social engineering, and unauthorized communications from the user’s connected accounts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The setup flow tells agents to collect and write a Telnyx API key into `.env` but does not warn about secure handling, storage permissions, redaction, or avoiding logs/history leakage. This creates a real risk of credential exposure through shell history, transcripts, backups, or permissive file permissions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explains that Telnyx handles audio and that webhooks are used, but it does not present a clear privacy warning that call audio and conversation content are processed by a third party. For a phone-based assistant, omission of this disclosure can cause users to expose sensitive spoken information without informed consent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
User transcripts, conversation history, personalization data, and tool-derived content are sent to external services including Telnyx inference and call-control endpoints, without any visible runtime disclosure or consent mechanism. In a voice assistant handling personal reminders, notes, and messages, silent transmission of this data can expose sensitive personal and operational information to third parties.

Session Persistence

Medium
Category
Rogue Agent
Content
```bash
cd /path/to/sip-voice-call-control
nohup npm run start > sip-voice-call-control.log 2>&1 &
```

Or from an agent:
Confidence
91% confidence
Finding
nohup

Session Persistence

Medium
Category
Rogue Agent
Content
Or from an agent:

```typescript
// Use nohup to keep process alive after session ends
exec({ 
  command: "cd /path/to/sip-voice-call-control && nohup npm run start > sip-voice-call-control.log 2>&1 &",
  background: true
Confidence
93% confidence
Finding
nohup

Session Persistence

Medium
Category
Rogue Agent
Content
```typescript
// Use nohup to keep process alive after session ends
exec({ 
  command: "cd /path/to/sip-voice-call-control && nohup npm run start > sip-voice-call-control.log 2>&1 &",
  background: true 
})
```
Confidence
93% confidence
Finding
nohup

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal