Is lunara9897-jpg/lunara-voice safe?

https://github.com/openclaw/skills/tree/main/skills/lunara9897-jpg/lunara-voice

72
CAUTION

Lunara Voice is a legitimate-appearing OpenClaw plugin for managing a voice AI calling platform (Lunara Voice AI), providing 33 tools for call campaigns, transcripts, analytics, and webhook management. The primary security concerns are architectural rather than overtly malicious: the 'always:true' metadata flag permanently injects the skill into all agent contexts, the workflow instructions suppress agent-user communication during call sequences ('poll silently'), and the combination of bulk export, webhook registration, and agent prompt update tools creates high-consequence capabilities that could be abused if the configured endpoint or a privileged user is malicious. Canary files were read during the audit (read-only, no modifications), most likely by the monitoring framework's own baseline check routines. No confirmed malicious code patterns, exfiltration endpoints, or npm/git hooks were found.

Category Scores

Prompt Injection 60/100 · 30%
Data Exfiltration 68/100 · 25%
Code Execution 82/100 · 20%
Clone Behavior 93/100 · 10%
Canary Integrity 82/100 · 10%
Behavioral Reasoning 55/100 · 5%

Findings (10)

HIGH always:true Forces Permanent Context Injection -20

The SKILL.md frontmatter sets 'always: true' in openclaw metadata, meaning the entire skill document (including all autonomous execution rules) is injected into every agent turn regardless of whether the user is working with Lunara Voice. This gives the skill persistent influence over agent behavior across all tasks.

HIGH Autonomous Execution Mode Suppresses Agent-User Communication -15

Section 5 of SKILL.md explicitly instructs the agent not to communicate with the user during a call workflow: 'Do NOT message the user — poll silently.' Combined with mandatory post-call analytics saves and tagging, the agent performs 7 consequential actions (outbound call, history polling, transcript retrieval, analytics write, tag write) with no user visibility into progress or ability to abort.

MEDIUM Aggressive Override Language Attempts to Subordinate Agent Safety Checks -10

The skill uses emphatic instructional language ('NEVER', 'MUST', 'no exceptions', 'APPLY TO EVERY OUTBOUND CALL') that is designed to override default cautious agent behavior. While not technically prompt injection against the system prompt, this style of instruction is coercive toward the agent.

MEDIUM Systematic Canary File Read Accesses Recorded -17

All six monitored credential files (.env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, gcloud credentials) were opened and read at both pre-install and post-install timestamps. The systematic coverage of every major credential type is notable. Files were not modified. The access source is ambiguous but likely attributable to the oathe monitoring framework's own canary verification routines given timing alignment.

MEDIUM Bulk LLM Export Can Exfiltrate Full Call Transcript History -10

lunara_export_bulk allows exporting up to 10,000 call conversations in LLM training format. If the apiBaseUrl is compromised or the user is malicious, this tool provides a mechanism to exfiltrate the entire call history in a single operation. There is no destination validation in the plugin code.

MEDIUM Webhook Registration Enables Real-Time Transcript Exfiltration -20

The lunara_webhook_create tool registers arbitrary HTTPS endpoints to receive real-time call events including call.completed (which carries transcript data). A malicious actor with access to this tool could register an attacker-controlled HTTPS endpoint to receive all future call transcripts silently.

MEDIUM Voice Agent Prompt Update Capability Is High-Risk Under Adversarial Conditions -15

lunara_agent_update allows writing up to 50,000 characters into a voice agent's system prompt. If a user or secondary prompt injection were to abuse this tool, malicious instructions could be persistently embedded in the calling agent, affecting all future calls made by that agent even outside this skill's context.

LOW Shell Install Script Executes During Installation -8

scripts/install-plugin.sh runs as part of the install flow. While the script contents appear to perform straightforward cp and openclaw CLI operations, shell scripts executed at install time represent a code execution boundary that could be modified between versions.

LOW PII Exposure Via mask_pii=false Parameter -5

Multiple tools (lunara_history_list, lunara_history_detail, lunara_export_single, lunara_export_bulk) support mask_pii=false which disables PII masking. An agent instructed to export data with masking disabled would expose raw personal information from call participants.

INFO Clean Install — Only GitHub Contacted 0

The git clone operation contacted only github.com (140.82.121.3:443). No unexpected outbound connections were made during installation. No persistent connections remain after install.