Is jayakumark/voicemonkey safe?

https://github.com/openclaw/skills/tree/main/skills/jayakumark/voicemonkey

95
SAFE

The jayakumark/voicemonkey skill is a pure markdown documentation file with no executable code, no prompt injection, no data exfiltration logic, and no supply-chain risk. Installation consists solely of a git sparse-checkout of static markdown files from the expected openclaw/skills repository; all canary honeypots remain intact and the canary file reads observed in monitoring are attributable to the oathe audit harness running before the install began. The primary residual concern is inherent to the service itself: once installed, the skill gives an agent the capability to push arbitrary TTS, audio, video, and web content to the user's home Alexa devices, which could be weaponized if the agent is separately compromised.

Category Scores

Prompt Injection 97/100 · 30%
Data Exfiltration 88/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 96/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 82/100 · 5%

Findings (4)

LOW API token exposed in GET request URL query string -12

The SKILL.md documents a GET-based API call variant that places the VOICEMONKEY_TOKEN directly in the URL query string. While this follows the upstream VoiceMonkey API design, tokens in URLs are routinely captured in web server access logs, HTTP proxies, browser history, and packet captures. The recommended Authorization header pattern is also documented and avoids this issue.

LOW Skill grants agent capability to push arbitrary content to user's home devices -18

When installed, this skill gives any agent with access to it the ability to make TTS announcements (supporting SSML emotion/prosody tags), play arbitrary HTTPS-hosted audio/video, display arbitrary images, and open arbitrary URLs on Echo Show screens. An attacker who can influence agent behavior through other means could use this capability to deliver social-engineering audio, fake authority messages, or phishing pages directly to the user's home environment without the user's knowledge.

INFO Canary file reads observed — attributed to monitoring infrastructure, not skill -4

Inotifywait and auditd recorded OPEN/ACCESS events against canary files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, GCP credentials) at two points during the audit window. Cross-referencing timestamps shows the first batch (audit events 254-259, timestamp 1771933878) occurred approximately 6 seconds before the git clone started (event 486, timestamp 1771933884), and both batches coincide with sudo/PAM authentication sequences standard to the oathe monitoring harness. No skill-installed code was running at either point. All canary files confirmed intact.

INFO Skill documentation references external console URL agents may be prompted to visit -3

SKILL.md links to console.voicemonkey.io for setup guidance and API exploration. This is a legitimate vendor console with no injection risk, but in agent contexts with browser or fetch capabilities, references to external URLs in skill documentation are noted as a low-level observation.