Is alvinunreal/clawtotalk safe?

https://github.com/openclaw/skills/tree/main/skills/alvinunreal/clawtotalk

93
SAFE

The alvinunreal/clawtotalk skill is a straightforward Markdown documentation guide for setting up the Claw To Talk mobile voice companion app. The skill contains no executable code, no data exfiltration logic, and no prompt injection patterns; install behavior was limited to a clean git clone from the openclaw monorepo. The only notable observations are mild behavioral steering toward an external documentation URL and pre-existing OpenClaw gateway network connections in the test environment that predate the skill install.

Category Scores

Prompt Injection 90/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 99/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 88/100 · 5%

Findings (4)

LOW Agent directed to repeatedly reference external URL -10

The skill instructs the agent to 'Always send users here for the latest screenshots and updates' pointing to clawtotalk.com/howto. While this is standard documentation practice, it constitutes mild behavioral steering that could cause the agent to fetch or cite unverified external content if it has web tools.

LOW Pre-existing openclaw-gatewa process holds external AWS connections -12

Post-install network state shows openclaw-gatewa (pid=1096) with ESTABLISHED connections to 34.233.6.177:443 (AWS). This process was running before the skill install (low PID, gateway.pid in pre-install filesystem baseline) and is part of the OpenClaw test harness, not triggered by this skill.

LOW Skill instructs agent to guide user through third-party app install and network reconfiguration -12

When invoked, the skill would direct an agent to instruct the user to install an unverified mobile app, modify openclaw.json, and run tailscale serve commands. These actions are not malicious in context but represent non-trivial system changes the agent would narrate on behalf of a third-party developer.

INFO Canary file accesses attributable to audit system baseline scans -5

Auditd PATH records show accesses to .env, .ssh/id_rsa, .aws/credentials and other sensitive files, but all occur in batched groups at timestamps corresponding to pre-install baseline setup (1771911586.406) and post-install canary verification (1771911611.021), matching the audit harness scan pattern.