Security audit

Omnicall AI Gateway — 248 LLMs, keyless, OpenClaw default

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it can reroute an agent’s model traffic and prompts through a third-party paid gateway by default.

Install only if you are comfortable sending model prompts and related agent context to Omnicall’s hosted service. Avoid using it as a global default in sensitive workspaces unless you have reviewed the router package, billing behavior, wallet/payment setup, and how to revert the routing change.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (4)

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The metadata description is extremely broad, advertising the skill for nearly any LLM, generation, or live-data need. In agentic environments, this can cause over-selection of the skill and unnecessary routing of user prompts and context to an external third-party endpoint, increasing the chance of unintended data exposure and unreviewed tool use.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The "When to use this" section lists very general conditions like needing any LLM, any generation capability, or live data, without guardrails. That makes the skill applicable in many ordinary contexts and can cause an agent to invoke it by default, sending potentially sensitive prompts, files, or conversation context to Omnicall even when a safer local or first-party option exists.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill promotes a keyless external gateway but does not warn users that prompts, tool inputs, and possibly surrounding agent context will be transmitted to a third-party network endpoint. This omission is dangerous because users may assume the skill is just a local capability upgrade rather than a data egress path, leading to accidental disclosure of confidential or regulated information.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The installation guidance says Omnicall can "become the default" and route every request to its endpoint, but it does not present this as a security-relevant behavior change or warn about the resulting global data egress. In context, this is more dangerous than a single optional integration because it can silently redirect all future model traffic—including sensitive prompts and system context—to an external service.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal