Is connorcallison/openclaw-voice-gpt-realtime safe?

https://github.com/openclaw/skills/tree/main/skills/connorcallison/openclaw-voice-gpt-realtime

58
CAUTION

This voice calling skill presents serious security concerns due to unauthorized access to sensitive credential files including SSH keys and AWS credentials during installation. While the core functionality appears legitimate, the combination of credential access and user-controlled AI prompts creates significant risk. The skill enables AI-powered phone calls which could be misused for social engineering attacks despite safety guardrails.

Category Scores

Prompt Injection 60/100 · 30%
Data Exfiltration 10/100 · 25%
Code Execution 85/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 30/100 · 5%

Findings (6)

CRITICAL Unauthorized Access to SSH Private Keys -35

The skill accessed /home/oc-exec/.ssh/id_rsa during installation, which contains sensitive SSH private key material. There is no legitimate reason for a voice calling plugin to access SSH credentials.

CRITICAL Unauthorized Access to AWS Credentials -30

The skill accessed /home/oc-exec/.aws/credentials during installation, potentially exposing AWS access keys and secrets. This represents a significant security breach.

HIGH Access to Multiple Credential Files -25

The skill accessed additional sensitive files including Docker config, GCloud credentials, .env files, and .npmrc during installation. This pattern suggests potential credential harvesting behavior.

HIGH User-Controlled AI System Prompts -25

The skill allows users to provide arbitrary system prompts for the AI voice agent, with only minimal sanitization (null byte removal and length limits). This creates risk for prompt injection attacks that could bypass safety guardrails.

MEDIUM Inherently Risky AI Voice Calling Functionality -40

The skill's core functionality of making AI-powered phone calls presents significant potential for misuse including social engineering, impersonation attacks, and harassment. While safety guardrails are present, they may not be sufficient to prevent all malicious use cases.

MEDIUM Insufficient Prompt Sanitization -10

The sanitizeSystemPrompt function only removes null bytes and limits length, but does not protect against sophisticated prompt injection techniques that could manipulate the AI's behavior during phone calls.