Is jooey/callmac safe?

https://github.com/openclaw/skills/tree/main/skills/jooey/callmac

88
SAFE

This is a legitimate text-to-speech skill for macOS that uses Microsoft Edge TTS services to generate mixed Chinese/English audio. The skill contains executable Python scripts for audio processing using standard tools like ffmpeg and afplay, but no malicious functionality was detected.

Category Scores

Prompt Injection 95/100 · 30%
Data Exfiltration 90/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 85/100 · 10%
Canary Integrity 85/100 · 10%
Behavioral Reasoning 90/100 · 5%

Findings (4)

MEDIUM System Command Execution -20

The skill contains Python scripts that execute system commands including ffmpeg, afplay, and osascript for audio processing and volume control. While these appear legitimate for TTS functionality, they represent code execution capabilities.

LOW Canary File Access During Monitoring -10

System processes accessed sensitive credential files (.env, SSH keys, AWS credentials) during the monitoring period. However, this appears to be from system monitoring rather than the skill code itself.

LOW Network Activity During Installation -15

Normal git clone operations with connections to GitHub and CDN endpoints. No unexpected network behavior detected.

INFO Canary Files Remained Intact -15

While canary files were accessed during monitoring, they were not modified or exfiltrated, indicating no credential theft occurred.