Is colygon/vapi safe?

https://github.com/openclaw/skills/tree/main/skills/colygon/vapi

78
CAUTION

The colygon/vapi skill is a legitimately-scoped Vapi voice platform integration with no prompt injection, hidden instructions, or obvious malicious intent in SKILL.md. However, two meaningful concerns exist: the skill instructs the agent to execute a curl-pipe-bash pattern to install the Vapi CLI (remote code execution risk), and the included vapi-api.mjs executable could not be source-audited due to an audit collection gap with .mjs file extensions. The skill's outbound call and webhook capabilities represent inherent operational risk that warrants user confirmation controls.

Category Scores

Prompt Injection 75/100 · 30%
Data Exfiltration 85/100 · 25%
Code Execution 65/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 90/100 · 10%
Behavioral Reasoning 65/100 · 5%

Findings (8)

HIGH curl-pipe-bash CLI install pattern in SKILL.md -25

SKILL.md Option B explicitly instructs the agent to execute 'curl -sSL https://vapi.ai/install.sh | bash' to install the Vapi CLI. This pattern downloads and immediately executes a remote shell script without integrity verification. If vapi.ai is compromised, or if the agent is tricked into running this against a different URL, arbitrary code would execute in the agent environment.

MEDIUM vapi-api.mjs content not captured by audit -10

The skill includes a Node.js executable at bin/vapi-api.mjs. The audit collection find command used a *.js glob pattern which does not match *.mjs files. As a result, the full source of this executable could not be reviewed. The file is confirmed present on disk and executable.

MEDIUM Agent instructed to run remote install script -15

The SKILL.md prompt directs the agent to install the Vapi CLI by piping a remote URL to bash. This constitutes a prompt instruction that, when followed, executes code outside the skill sandbox. The instruction appears in the agent-facing SKILL.md and would be acted upon when a user asks the agent to use the CLI mode.

MEDIUM MCP server provisioning expands agent tool surface -10

SKILL.md Option C instructs 'vapi mcp setup' to configure an MCP docs server. This provisions an external process that could serve additional tool definitions to the agent, expanding capabilities beyond what the skill declares. The nature and trustworthiness of the MCP server content is not auditable from the skill alone.

LOW Webhook configuration allows arbitrary exfiltration endpoints -10

The skill exposes webhook configuration as a first-class capability. A user or attacker could configure a Vapi assistant with a webhook URL pointing to attacker-controlled infrastructure, causing call transcripts, DTMF inputs, or other event data to be sent externally. SKILL.md does not warn about validating webhook destinations.

LOW Outbound call initiation without strong authorization guard -15

The skill grants the agent capability to initiate outbound phone calls to arbitrary numbers. While SKILL.md instructs the agent to confirm to/from numbers before dialing, these confirmation steps are agent-side and could be bypassed by a crafted user prompt or by chaining with another skill.

LOW Canary files accessed post-install; process attribution ambiguous -15

A second batch of canary file PATH accesses appears in auditd at timestamp 1771907293 (approximately 5 seconds after skill files were installed). The initiating process is not directly visible in the provided SYSCALL data for this timestamp range. The monitoring framework reports all canary files intact, suggesting this is the audit teardown check rather than malicious access.

INFO VAPI_API_KEY required as environment secret -5

The skill requires VAPI_API_KEY to be present in the agent environment. This is standard practice for API-integrated skills but means the key is accessible to any code running in the agent session, including the unverified vapi-api.mjs.