ClawHub
Back to skill

Security audit

AI Phone

Security checks across malware telemetry and agentic risk

Overview

This phone assistant mostly matches its stated purpose, but it also reads unread SMS messages and handles sensitive call transcripts, recordings, and account tokens with incomplete disclosure.

Review before installing. Only use this if you are comfortable giving PollyReach and this skill access to place calls, answer calls, retrieve call artifacts, update the answering prompt, check balance, and store a local bearer token. Pay special attention to scripts/inbound.sh: it reads unread SMS messages and prints sender numbers and message contents even though the skill presents it as incoming-call summary retrieval. Use restrictive permissions on the token file, avoid scheduled polling unless you explicitly want it, and consider legal/privacy obligations for recording or transcribing calls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill description undersells several sensitive behaviors: account/token management, prompt reconfiguration, polling, and related account operations. This mismatch can prevent users from giving informed consent and can cause the skill to be invoked in contexts where they do not expect background retrieval, configuration changes, or transmission of call data to a third party.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill directs the agent to set up periodic polling for inbound calls, introducing autonomous background activity beyond a simple on-demand phone tool. Persistent polling can increase privacy risk, create unbounded data collection, and cause the agent to act without a fresh user request or clear scheduling consent.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script fetches unread SMS messages from a remote API, but the skill description emphasizes calls, screening, and voicemail rather than SMS access. This creates a capability mismatch that can mislead users about what data the skill will access, increasing the risk of unauthorized collection of sensitive communications.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script reads a stored bearer token from disk and uses it to access message data, yet this sensitive capability is not clearly justified by the stated skill purpose. Even if the token handling avoids CLI exposure, the broader issue is undisclosed access to private account data, which can enable silent data harvesting if users believe the skill only manages calls and voicemail.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The invocation guidance uses broad everyday phrases such as screening calls or summarizing voicemails, which can cause accidental triggering. In a skill that can place calls, answer calls, update prompts, and access sensitive transcripts, unintentional activation materially increases privacy and action-execution risk.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill enables automatic answering, recording/transcription, and recurring polling without a prominent privacy warning or consent language. Because phone calls often contain sensitive personal, financial, employment, or health information, silent collection and third-party processing of call content creates significant privacy, compliance, and user-trust risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs storage and reuse of an authentication token in a local file under the user’s home directory without any security guidance, permission hardening, or encryption. A stolen token could let an attacker access the phone account, retrieve call data, modify prompts, check balances, and potentially place or monitor calls through the linked service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill encourages users to share the assigned number publicly and rely on automatic answering without warning about spam, impersonation, social engineering, or sensitive-call handling. This can expose users to malicious callers whose conversations are automatically captured, summarized, and possibly acted upon by the agent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script prints full SMS contents and sender phone numbers to stdout, which can expose sensitive personal data to logs, terminal history capture, calling processes, or other users on shared systems. Because message bodies may contain authentication codes, private conversations, or regulated data, this creates a direct confidentiality risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script silently loads a bearer token from disk and transmits it in an Authorization header without any user-facing notice or consent at runtime. In a skill context, undisclosed credential use reduces transparency and can surprise users or integrators, especially because the token file path can be redirected via an environment variable.

Ssd 3

Medium
Confidence
93% confidence
Finding
The instructions require full disclosure of call transcripts, detailed recipient information, credits, and recording links to the human by default. Default full-transcript disclosure creates unnecessary data exposure, especially where calls may contain third-party personal data, confidential business information, or legally protected content.

Ssd 3

Medium
Confidence
95% confidence
Finding
Inbound-call handling directs proactive retrieval and retention of callers’ numbers, summaries, transcripts, and recordings, then instructs full disclosure to the human. This creates a strong privacy risk because third parties calling the number may not expect their conversations to be stored, polled, and redistributed in full through the agent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal