ClawHub

Send SMS text and bulk messages via TelTel.io API

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says: send SMS messages through TelTel, with no evidence of hidden persistence, unrelated data access, or deceptive behavior.

Install only if you intend to let the agent send SMS through your TelTel account. Keep the TelTel API key in environment variables, use dry-run or explicit confirmation for bulk sends, and avoid sending secrets, regulated data, or sensitive personal information in SMS bodies unless you are authorized to share it with TelTel and recipients.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill clearly uses environment variables and performs outbound network requests to a third-party SMS API, yet no explicit permissions are declared. Missing permission declarations reduce transparency and prevent users or platforms from understanding the skill's capabilities before use, which is a security and governance risk even if the behavior is consistent with the skill's purpose.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs users to send SMS messages through TelTel but does not clearly warn that recipient phone numbers, message contents, and possibly callback URLs are transmitted to a third-party service. This can cause inadvertent disclosure of personal or sensitive data, especially in agent-driven workflows where users may not realize external transmission is occurring.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal