PollyReach gives every AI agent a phone number and the ability to get things done over the phone — finding contacts, making calls, and completing tasks. Just...
Security Analysis
high confidenceThe skill's files, network calls, and file access are consistent with a phone/calling integration (PollyReach); nothing in the package appears to request unrelated credentials or perform unexplained system access.
Name/description (phone calls, inbound/outbound handling) match the code and documented API endpoints. The scripts only call api.pollyreach.ai / agent.pollyreach.ai and operate on a single credential file (~/.config/PollyReach/key.json), which is proportionate for a telephony service.
SKILL.md instructs the agent to register, poll for call completion, read unread messages, update prompts, check balance, and save a token to ~/.config/PollyReach/key.json. The scripts follow those instructions and do not attempt to read other system files or contact endpoints outside the pollyreach domains. Minor note: query.sh polls up to 300 times (long-running behavior) which could keep the agent waiting and generate repeated network traffic.
This is instruction-only with helper scripts and no install spec that downloads arbitrary code. Dependencies are common CLI tools (curl, jq, bc); only jq has suggested install commands. No high-risk download URLs or extract/install steps are present.
The skill does not request unrelated credentials and only needs a PollyReach token stored in ~/.config/PollyReach/key.json. One small gap: the scripts support overriding the key file via POLLYREACH_KEY_FILE, but that environment variable is not declared in SKILL.md's requires.env list—scripts will read whatever path that variable points to if set, which the user should be aware of.
always is false (not force-included) and the skill does not modify other skills or system-wide agent settings. It stores/reads a single local credential file under the user's config directory, which is expected for this functionality.
Guidance
This skill appears to do what it says: register an agent with PollyReach, store a service token in ~/.config/PollyReach/key.json, and use that token to make or check calls via PollyReach's API. Before installing: (1) Understand that activating requires the human to click an activation link and sign in with email (the service will then be able to place calls on your behalf); (2) confirm you trust the external domain (api.pollyreach.ai) because all call actions and any data you send will go to that service; (3) be aware the scripts allow overriding the credential file via POLLYREACH_KEY_FILE—don’t set that to point at unrelated secrets; and (4) expect long-polling behavior (query.sh may poll for a long time). If you are uncomfortable granting a third-party phone identity or sending call content to an external service, do not enable the skill.
Latest Release
v1.0.3
- Added explicit permissions for network access to PollyReach API endpoints. - Granted read/write file access to the PollyReach credentials file (`~/.config/PollyReach/key.json`). - Declared required dependencies (`curl`, `jq`, `bc`) and provided installation instructions for `jq`. - Documented available scripts and their purposes, including for outbound calls, activation, balance checking, inbound calls, and prompt updates.
Popular Skills
Published by @pollyreach on ClawHub
