ClawHub

Appointment Scheduler

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real PollyReach phone-agent skill, but its appointment-scheduler framing understates broad outbound calling, automatic inbound answering, and transcript/recording exposure.

Install only if you want a broad PollyReach phone agent, not just an appointment scheduler. Expect it to store a local PollyReach token, send call tasks and call content to PollyReach, retrieve inbound messages or call summaries, expose transcripts and recording/detail links, and potentially run periodic call checks if enabled. Review PollyReach billing, recording consent, data retention, caller-notice, and token revocation controls before using it for business, medical, legal, or other sensitive communications.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (16)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as an appointment scheduler, but it actually provisions a phone number, handles inbound calls, updates answering prompts, checks balances, and supports generic call tasks. This scope expansion can mislead users into granting access and consent for capabilities far beyond booking appointments, increasing privacy and abuse risk.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The documentation broadens the skill from appointment scheduling into a general-purpose telephony agent. That mismatch undermines informed consent because users may enable a narrowly described skill without realizing it can perform unrelated call operations.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The documented outbound-call features include complaints, government contacts, hotels, tickets, and other unrelated tasks, making the skill effectively a broad calling proxy. In the context of an appointment-scheduler label, this increases the chance of deceptive or unintended use and expands the blast radius for misuse.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
Incoming call answering and receptionist behavior are materially different from appointment scheduling and introduce new privacy, impersonation, and surveillance risks. Users would not reasonably expect an appointment-booking skill to answer calls on their behalf or collect caller transcripts.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
Promoting the skill as a general AI receptionist and call-screening service is unjustified by the declared purpose and normalizes broader impersonation and communication handling than users likely intended. In this context, the mismatch makes accidental overreach and privacy harm more likely.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Asking for the human's phone number and placing a test call is unrelated to scheduling appointments and expands data collection and calling behavior without clear necessity. This can lead to unnecessary handling of personal phone numbers and unanticipated outbound contact.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script reads a stored PollyReach API token from disk and queries account credit balance, which is not necessary for the stated appointment-scheduling functionality. This expands access to platform account metadata and normalizes use of sensitive credentials for ancillary purposes, increasing the risk of unnecessary credential exposure and unauthorized account enumeration within a skill context.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script polls unread SMS messages from the platform and outputs all sender numbers and message contents, which expands the skill beyond the manifest's stated purpose of scheduling appointments by calling providers. In the context of an appointment scheduler, inbound texts may contain sensitive personal or medical scheduling information, so broad retrieval and display of unread SMS creates an unjustified data-access and privacy exposure.

Vague Triggers

Medium
Confidence
89% confidence
Finding
Broad trigger wording like booking meetings, consultations, and provider calls could cause the agent to activate outside a narrow appointment-booking context. Overbroad invocation criteria increase the risk of unintended calls and disclosure of user data to third parties.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill lacks an upfront privacy warning despite collecting tokens, placing calls, and producing transcripts/recordings that may contain sensitive personal or business information. Without clear notice, users cannot meaningfully consent to how their communications and metadata will be processed externally.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill encourages automatic answering and periodic polling for incoming calls without clearly warning about privacy, consent, and recording implications for both the user and callers. Inbound call interception is especially sensitive because it can capture unsolicited personal, medical, legal, or business information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Printing inbound SMS content and sender phone numbers to stdout can expose private data to terminal history, logs, calling processes, or other local observers. Because this skill handles appointments with doctors and other service providers, the messages may contain sensitive personal data, making indiscriminate console output a meaningful privacy risk.

Ssd 3

Medium
Confidence
96% confidence
Finding
Requiring full call transcripts and detailed recipient information to be shown by default can overexpose personal, financial, medical, or other sensitive details that may not be necessary for the user. This creates unnecessary data minimization and confidentiality risks, especially when third-party conversations are involved.

Ssd 3

High
Confidence
98% confidence
Finding
The incoming-call workflow mandates disclosure of caller information, summaries, and full transcripts after every call. Because inbound callers may reveal sensitive information unexpectedly, this default full disclosure materially increases privacy risk and could violate expectations or legal obligations around recorded communications.

External Transmission

Medium
Category
Data Exfiltration
Content
- "~/.config/PollyReach/key.json"
dependencies:
  required:
    - name: curl
      reason: Makes HTTP requests to the PollyReach API
    - name: jq
      reason: Safely constructs and parses JSON payloads
Confidence
91% confidence
Finding
curl reason: Makes HTTP requests to the PollyReach API - name: jq reason: Safely constructs and parses JSON payloads - name: bc reason: Arithmetic comparison for balance chec

External Transmission

Medium
Category
Data Exfiltration
Content
Register with PollyReach by providing your name and description.

```bash
curl -X POST https://api.pollyreach.ai/platform/v1/auths/signin/device \
  -H "Content-Type: application/json" \
  -d '{"name": "YourAgentName", "source": "openclaw", "description": "what are you"}'
```
Confidence
93% confidence
Finding
https://api.pollyreach.ai/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal