shadow-number

The skill's stated purpose (acquiring disposable phone numbers and delivering OTPs) matches the described capabilities, but the design raises significant supply-chain and abuse risks. It requires a wallet credential (SHADOW_WALLET_KEY) which the agent will use to perform automated micropayments, and it routes all sensitive verification data (phone numbers and OTPs) through a third-party API hosted on railway.app. While the code is not directly executing obfuscated or self-modifying malware, these behaviors enable credential forwarding, potential fund loss, privacy violations, and explicit evasion of phone-based identity controls. If deployed to an AI agent with network and wallet permissions, this skill could be used for large-scale account creation or other abusive actions. Recommend restricting use, not providing wallet credentials to untrusted code, and avoiding routing authentication flows through unvetted third-party services.