Is arein/concierge safe?

https://github.com/openclaw/skills/tree/main/skills/arein/concierge

87
SAFE

The arein/concierge skill is a legitimate travel concierge tool that provides contact lookup and AI-powered phone call capabilities. No malicious code, prompt injection, data exfiltration, or canary tampering was detected. The primary risk is capability-based: the skill enables an AI agent to make autonomous phone calls impersonating a user, which is a powerful social engineering vector even though it serves a legitimate purpose.

Category Scores

Prompt Injection 82/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 92/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (7)

MEDIUM Autonomous phone call capability enables social engineering -30

The skill gives an AI agent the ability to autonomously call any phone number with a goal-driven AI voice agent using ElevenLabs voice synthesis. The agent can impersonate a user by name and conduct full conversations. While this is the skill's legitimate purpose (hotel booking), the same capability can be weaponized for vishing, impersonation, or unauthorized actions without additional safeguards.

MEDIUM Auto-infrastructure creates public tunnel without per-call consent -15

The call command auto-starts ngrok and a local Node.js server when the server is unavailable. This creates a publicly accessible tunnel to the local machine. While logs are written and processes are cleaned up, the auto-start behavior reduces the user's control over when their machine is exposed to the public internet.

LOW Multiple sensitive API keys stored in single config file -10

The skill instructs storing Twilio credentials, Anthropic API key, Deepgram key, ElevenLabs key, and ngrok token in ~/.config/concierge/config.json5. While necessary for functionality, this aggregation creates a high-value target. The Anthropic API key in particular could allow unauthorized model access if the config file is leaked.

LOW Broad shell execution surface via CLI commands -8

The skill instructs the agent to run arbitrary concierge CLI commands including find-contact (web scraping), call (phone calls), server management, and config operations. The agent is taught to compose these commands with user-supplied data (URLs, phone numbers, personal info). While not injection per se, the shell execution surface is broader than typical skills.

LOW Combination risk with information-gathering skills -10

If installed alongside skills that gather contact information, personal details, or browsing data, this skill's phone call capability could be chained to conduct multi-stage attacks — e.g., scraping a target's details from one skill and then calling them via this skill.

INFO Version mismatch between SKILL.md and _meta.json -2

SKILL.md declares version 1.3.1 but _meta.json shows latest version 1.5.0. This is likely a documentation lag rather than a security issue, but indicates the SKILL.md may not reflect the current state of the tool.

INFO System file reads during installation are benign -5

/etc/passwd and /etc/locale.conf were read during the JIT compilation phase of the Node.js toolchain. These are standard system library calls for user home directory resolution and locale configuration, not skill-initiated behavior.