Is alexa-cli safe?
https://clawhub.ai/buddyh/alexa-cli
alexa-cli is a documentation-only skill with no embedded code, no prompt injection, and clean clone behavior. However, it grants the agent control over physical IoT devices including smart locks, thermostats, and whole-home announcements. The primary risks are not from the skill being malicious but from the inherent danger of giving an AI agent control over physical security devices and access to Amazon account data via the ask command. The AWS credentials access during installation is concerning but likely attributable to the openclaw runtime rather than the skill itself.
Category Scores
Findings (10)
HIGH Physical world actuation — smart locks and security devices -30 ▶
The skill enables the agent to control physical security devices including smart locks via natural language commands ('lock/unlock the front door'). A prompt injection from another skill, a confused agent, or social engineering could result in unlocking physical doors.
HIGH Broadcast announcements to all devices -15 ▶
The --announce flag sends text-to-speech to every Echo device in the home. A malicious or confused agent could broadcast inappropriate, embarrassing, or alarming messages to all household members and guests simultaneously.
MEDIUM Alexa account data accessible via ask command -20 ▶
The 'alexacli ask' command returns Alexa's text responses to queries. An agent could be prompted to ask about calendar events, shopping lists, contacts, or purchase history, and then relay this information through the conversation or other channels.
MEDIUM Amazon refresh token stored in config and env var -15 ▶
The skill stores a long-lived Amazon refresh token in ~/.alexa-cli/config.json and optionally reads ALEXA_REFRESH_TOKEN from the environment. This token grants persistent access to the user's Amazon/Alexa account. Any skill or agent with filesystem access could read this token.
MEDIUM Arbitrary URL playback enables data exfiltration via URL parameters -5 ▶
The play --url command accepts arbitrary HTTPS URLs. An attacker could encode exfiltrated data in URL query parameters to a controlled server, and the Echo device would make the request to fetch the audio.
MEDIUM AWS credentials file accessed during installation -15 ▶
Filesystem monitoring detected a read of ~/.aws/credentials during the skill installation process. The alexa-cli skill has no stated need for AWS credentials. This access likely comes from the openclaw runtime rather than the skill itself, but it exposes sensitive credentials to the installation process.
MEDIUM External supply chain dependency via brew tap and go install -15 ▶
Installation pulls binaries from buddyh/tap (Homebrew) or github.com/buddyh/alexa-cli (Go). If these external repositories are compromised, the installed binary could contain malicious code. The skill itself is safe but the binary it depends on is an external trust boundary.
LOW Shell command execution via natural language passthrough -10 ▶
The alexacli command subcommand passes arbitrary natural language to Amazon's Alexa API. While this is the skill's core purpose, it creates an execution surface where the agent translates user intent into shell commands with user-supplied strings. Command injection via the -d or text arguments is mitigated by alexacli being a compiled binary (not a shell script), but the natural language interface is inherently unpredictable.
LOW Skill encourages agent to prefer natural language commands -10 ▶
The note 'For AI/agentic use, alexacli command with natural language is preferred' encourages the agent to use the most powerful and least predictable interface. This is not malicious but increases risk surface by steering agents toward the broadest command interface.
INFO Unofficial Amazon API usage -10 ▶
The skill explicitly notes it uses Amazon's unofficial API (same as the Alexa app). This means Amazon could break compatibility at any time, and the API usage may violate Amazon's terms of service. Token expiry every 14 days provides some natural limit on persistent access.