Is eypam/pamela-call safe?
https://github.com/openclaw/skills/tree/main/skills/eypam/pamela-call
The eypam/pamela-call skill is documentation-only, containing no executable code, no prompt injection, and no malicious behavior; it passed all technical security checks including full canary file integrity. The skill is a legitimate wrapper for the ThisIsPamela voice AI service, and its risks are inherent to its stated purpose: call audio and transcripts are transmitted to Pamela's servers by design, the skill enables autonomous outbound phone calls with metered billing at $0.10/min and no enforced call limits, and the phone-call capability could be exploited via prompt injection in a multi-skill agent context for social engineering or verbal information exfiltration. Users should install this skill only when they understand and accept these operational, privacy, and cost trade-offs and have configured appropriate agent-level guardrails around call authorization.
Category Scores
Findings (5)
MEDIUM Call Audio and Transcripts Transmitted to Third-Party by Design -12 ▶
All call audio and transcripts generated via this skill are sent to Pamela's servers and may be stored or forwarded to configured webhooks. This is explicit, documented behavior — not a hidden exfiltration mechanism — but users must understand that any sensitive conversation content discussed during AI-initiated calls exits their environment and is subject to Pamela's data retention and privacy practices.
LOW Unbounded Outbound Phone Call Capability Requires Agent-Level Guardrails -20 ▶
This skill instructs the agent to make outbound phone calls autonomously on behalf of users. Without explicit per-call user confirmation requirements, a compromised agent context (prompt injection from processed user content, malicious documents, or chained skills) could trigger unwanted calls for social engineering, harassment, or mass dialing purposes. The skill explicitly promotes 'unlimited scale' operation with no built-in rate limiting.
LOW Metered API Billing Exposure -8 ▶
Each connected phone call triggers $0.10/minute charges with a 1-minute minimum floor on the user's Pamela account. A runaway agent loop or adversarially-triggered call sequence could accumulate substantial charges without the user's awareness. The skill recommends enabling billing alerts but does not enforce any call frequency or spend limits itself.
INFO Sensitive Credential File Reads Detected — Attributed to Audit Monitoring System, Not Skill 0 ▶
Filesystem and auditd monitoring recorded read-only access to .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP application credentials at two points during the audit window. Critically, the first batch of accesses (audit timestamps 1771907481.618–1771907481.625) predates the git clone operation (audit timestamp 1771907487.134) by approximately six seconds, making any involvement of the skill code logically impossible. The second batch (audit timestamps 1771907504.613–1771907504.624) occurred after install and is temporally consistent with the oathe audit framework performing its post-install canary integrity verification. All six files remained byte-for-byte unmodified throughout the audit window as confirmed by the canary integrity check passing.
INFO Clean Install — Expected GitHub Connection Only, Minimal Filesystem Footprint 0 ▶
The skill installation made a single expected outbound TCP connection to GitHub (140.82.121.3:443) to perform a sparse-checkout of the skills monorepo. Only two files were added to the filesystem, exactly matching the declared skill contents. No connections to Pamela's API endpoints (api.thisispamela.com) or any other third-party hosts occurred during installation. The pre-existing connection to 185.125.188.58:443 (Ubuntu Canonical/Snap) was present before the audit began and is unrelated to this skill.