Back to skill

Security audit

Supercall

Security checks across malware telemetry and agentic risk

Overview

SuperCall is a coherent AI phone-calling skill, but it needs Review because it records and persists sensitive call content, exposes webhook infrastructure, and feeds raw call transcripts back into the agent without strong user-facing controls.

Install only if you are comfortable with a local agent placing real calls through your Twilio account, streaming call audio to OpenAI, exposing a webhook endpoint, and storing call transcripts locally. Before use, disable or explicitly govern recording where required, verify consent and legal obligations for automated calls, restrict who or what numbers can be called, protect Twilio/OpenAI/ngrok credentials, review and delete logs regularly, and treat returned transcripts as untrusted text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The plugin takes untrusted phone-call content and actively injects it back into the local agent via /hooks/wake or a system event, despite claiming reduced gateway-agent exposure. That creates a cross-channel prompt-injection path where a callee can influence the agent's next turn by speaking crafted instructions that are embedded in the callback text alongside the goal and transcript.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The provider enables call recording by default (`Record: "true"`, `RecordingChannels: "dual"`) for outbound calls, but the skill description does not disclose that calls may be recorded. In a voice-calling skill, silent recording creates privacy, consent, and regulatory risk, especially across jurisdictions that require one- or two-party consent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The runtime can automatically create public network exposure via a tunnel or Tailscale when no explicit public URL is configured. For a phone-calling skill this may be operationally necessary for webhook delivery, but it still expands the host's network exposure and can make a locally bound service reachable from outside without an in-file user warning or explicit consent gate.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The description uses broad language such as handling phone conversations autonomously, confirming appointments, delivering messages, and navigating phone trees, which overlaps with many ordinary user requests. That increases the chance the skill is invoked in situations where users do not fully appreciate that it can place external real-world calls, interact with third parties, and incur privacy, consent, or financial consequences.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill describes autonomous calling and fully automatic IVR/DTMF navigation without an equally explicit warning about privacy, consent, identity representation, call recording/transcription, and potential harm to third parties. In context, this is more dangerous because the tool can autonomously converse with humans and systems, potentially share sensitive information, impersonate roles, and persist transcripts to disk.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The plugin description advertises broad autonomous calling capabilities ('handle phone conversations autonomously', appointment confirmation, message delivery, IVR navigation) without stating any invocation constraints, approval requirements, recipient restrictions, or consent boundaries. In a telephony skill, this increases the risk of unintended or abusive calls, social-engineering use, premium-number dialing, or autonomous contact with third parties because downstream systems may expose the tool in overly permissive contexts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The manager appends full call records to a local JSONL log, including transcripts, phone numbers, session identifiers, and call metadata, without any access controls, encryption, retention limits, or redaction in this code path. In a voice-calling skill, these records can contain highly sensitive personal, financial, or authentication information, so local compromise, shared-host access, backups, or accidental log exposure can leak substantial private data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code forwards raw caller audio directly into the OpenAI realtime conversation session, but there is no disclosure, consent, or gating logic in this component before third-party processing occurs. In a phone-calling skill, that means a callee or caller may have their voice content transmitted to an AI provider without notice, creating privacy, consent, and regulatory risk that is heightened for autonomous calls.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Recording is activated in code without any visible warning, consent flow, or disclosure in this file or the provided skill description. Because this skill autonomously places phone calls, undisclosed recording is more dangerous than in a passive telephony integration: it can capture third-party conversations at scale and expose the operator to privacy and compliance violations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This code automatically attempts to expose the webhook server publicly through a tunnel or Tailscale if no public URL is present, but does not present any user-facing warning here before doing so. Silent network exposure is risky because operators may assume the service remains local while it becomes externally reachable, increasing the chance of unintended access or abuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The server logs full user speech transcripts verbatim, which can capture sensitive spoken data such as names, phone numbers, appointment details, authentication prompts, or other private information. In a voice-calling skill, this is particularly risky because call participants may not know their speech is being persisted to application logs, increasing privacy, compliance, and insider-access risk.

Missing User Warnings

Low
Confidence
91% confidence
Finding
Assistant responses are also logged verbatim, which can reveal sensitive conversation content, operational prompts, or personal information repeated back to the caller. While typically less sensitive than raw user speech, in this autonomous phone-call context the logs may still reconstruct substantial portions of private conversations.

Ssd 3

Medium
Confidence
91% confidence
Finding
The code serializes the entire call transcript into plain callback text and forwards it into the agent/session handling path. This can leak sensitive spoken data to broader system contexts than necessary and amplifies the risk of prompt-injection because arbitrary callee speech is preserved verbatim in a form likely to be consumed by an LLM.

Ssd 1

Medium
Confidence
88% confidence
Finding
The initial greeting is injected as a fake user message containing system-style text, which blurs trust boundaries between system and user roles. If the greeting string is influenced by untrusted input, it can act as prompt injection material that alters model behavior, causes policy bypass, or triggers unintended tool use at call start.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access, suspicious.exposed_secret_literal

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/tunnel.ts:70

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/webhook.ts:335

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/manager.ts:58

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/providers/twilio.ts:55

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
src/tunnel.ts:291