Trust Assessment
phone-agent received a trust score of 10/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.
SkillShield's automated analysis identified 20 findings: 4 critical, 4 high, 11 medium, and 1 low severity. Key findings include Unsafe environment variable passthrough, File read + network send exfiltration, Credential harvesting.
The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The Manifest Analysis layer scored lowest at 0/100, indicating areas for improvement.
Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.
Layer Breakdown
Behavioral Risk Signals
Security Findings20
| Severity | Finding | Layer | Location | |
|---|---|---|---|---|
| CRITICAL | File read + network send exfiltration AI agent config/credential file access Remove access to sensitive files not required by the skill's stated purpose. SSH keys, cloud credentials, and browser data should never be read by skills unless explicitly part of their declared functionality. | Manifest | skills/kesslerio/phone-agent/SKILL.md:30 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/kesslerio/phone-agent/scripts/server.py:26 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/kesslerio/phone-agent/scripts/server.py:32 | |
| CRITICAL | Credential harvesting Reading well-known credential environment variables Skills should only access environment variables they explicitly need. Bulk environment dumps (os.environ.copy, JSON.stringify(process.env)) are almost always malicious. Remove access to Keychain, GPG keys, and credential stores. | Manifest | skills/kesslerio/phone-agent/scripts/server_realtime.py:24 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/kesslerio/phone-agent/scripts/server.py:26 | |
| HIGH | Unsafe environment variable passthrough Access to well-known credential environment variables Minimize environment variable exposure. Only pass required, non-sensitive variables to MCP servers. Use dedicated secret management instead of environment passthrough. | Manifest | skills/kesslerio/phone-agent/scripts/server_realtime.py:24 | |
| HIGH | Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared. | Static | skills/kesslerio/phone-agent/SKILL.md:30 | |
| HIGH | Unpinned dependencies in requirements.txt The `scripts/requirements.txt` file specifies dependencies without pinning them to exact versions. This allows for the installation of newer, potentially malicious or incompatible versions of packages, leading to supply chain attacks (e.g., dependency confusion, malicious package updates) or unexpected behavior. An attacker could publish a malicious package with a higher version number, which would then be installed during `pip install -r`. Pin all dependencies to exact versions (e.g., `fastapi==0.104.1`). Consider using a lock file (e.g., `Pipfile.lock` or `poetry.lock`) for deterministic builds and enhanced supply chain security. | LLM | scripts/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'fastapi' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/kesslerio/phone-agent/scripts/requirements.txt:1 | |
| MEDIUM | Unpinned Python dependency version Requirement 'uvicorn[standard]' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/kesslerio/phone-agent/scripts/requirements.txt:2 | |
| MEDIUM | Unpinned Python dependency version Requirement 'python-multipart' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/kesslerio/phone-agent/scripts/requirements.txt:3 | |
| MEDIUM | Unpinned Python dependency version Requirement 'twilio' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/kesslerio/phone-agent/scripts/requirements.txt:4 | |
| MEDIUM | Unpinned Python dependency version Requirement 'deepgram-sdk' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/kesslerio/phone-agent/scripts/requirements.txt:5 | |
| MEDIUM | Unpinned Python dependency version Requirement 'openai' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/kesslerio/phone-agent/scripts/requirements.txt:6 | |
| MEDIUM | Unpinned Python dependency version Requirement 'websockets' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/kesslerio/phone-agent/scripts/requirements.txt:7 | |
| MEDIUM | Unpinned Python dependency version Requirement 'python-dotenv' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/kesslerio/phone-agent/scripts/requirements.txt:8 | |
| MEDIUM | Unpinned Python dependency version Requirement 'requests' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/kesslerio/phone-agent/scripts/requirements.txt:9 | |
| MEDIUM | Unpinned Python dependency version Requirement 'pyyaml' is not pinned to an exact version. Pin Python dependencies with '==<exact version>'. | Dependencies | skills/kesslerio/phone-agent/scripts/requirements.txt:10 | |
| MEDIUM | Potential Prompt Injection via `task_config` interpolation The `get_task_prompt` function in `scripts/server.py` directly interpolates the `task_config` dictionary into the system prompt string without sanitization. If `task_config` can be influenced by untrusted user input (e.g., through an API call or user-provided configuration), an attacker could inject malicious instructions into the LLM's system prompt. This could lead to the LLM performing unintended actions, revealing sensitive information, or generating harmful content. Implement strict validation and sanitization for any user-controlled input that contributes to the LLM prompt. Avoid direct string interpolation of untrusted data into prompts. Consider using templating engines with auto-escaping or explicit prompt construction methods that prevent arbitrary instruction injection. If `task_config` is intended to be internal and trusted, ensure its source is securely controlled. | LLM | scripts/server.py:97 | |
| LOW | Storage of sensitive call transcripts and results on disk The `save_call_result` function in `scripts/server.py` writes full call transcripts and results, which may contain sensitive user conversations, to local disk in the `CALLS_DIR`. While this is not direct data exfiltration to an external party, it creates a local data store of potentially sensitive information. If the server's filesystem is compromised or improperly secured, this data could be accessed by unauthorized parties, leading to a data breach. Implement appropriate access controls and encryption for the `CALLS_DIR` to protect sensitive data at rest. Regularly review and purge old data that is no longer needed. Consider if storing full transcripts on disk is strictly necessary or if sensitive portions can be redacted or stored in a more secure, purpose-built data store. Inform users about data retention policies. | LLM | scripts/server.py:115 |
Scan History
Embed Code
[](https://skillshield.io/report/1ed2dfcc8a022e15)
Powered by SkillShield