ClawHub

Ring-a-Ding

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it can place real phone calls and share sensitive call details with third-party services without strong privacy and consent guardrails.

Install only if you trust Ring-a-Ding, its CLI, and its downstream providers with call metadata, transcripts, and any context you provide. Before each call, confirm the exact number, recipient, purpose, and any personal details being shared; avoid medical, insurance, financial, address, or order details unless they are necessary and the user explicitly approves them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly states that completed calls return full transcripts, structured summaries, and extracted data, but it does not require the agent to warn users that their conversations will be recorded, processed, and stored by third-party services. Because this skill is designed for real phone calls and may involve businesses, users, and potentially sensitive topics, the lack of an explicit privacy notice increases the risk of over-collection and uninformed disclosure of personal data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The examples encourage inclusion of medical, insurance, address, and order details in the call context and extraction schema without any caution to minimize sensitive data or confirm user consent. In practice, this can lead agents to transmit unnecessary personal or regulated information to the vendor and downstream providers, increasing privacy, compliance, and data exposure risk.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal