ClawHub

Lunara Voice

Security checks across malware telemetry and agentic risk

Overview

This is a real voice-calling plugin, but it needs Review because it can place calls, run large campaigns, expose transcripts, export call data, manage API keys, and create webhooks with weak in-skill safeguards.

Install only if you trust the publisher and intend to let OpenClaw agents operate a Lunara Voice account. Use a least-privilege API key, restrict who can invoke call, campaign, key-management, export, and webhook tools, require manual confirmation before outbound calls or campaign starts, keep PII masking enabled by default, and approve any bulk export or webhook destination before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation materially exceeds the declared skill purpose. A bundle described as install/publish helpers actually provides powerful operational capabilities including API key management, outbound telephony, transcript export, analytics mutation, and webhook administration, which creates a strong deceptive-capability mismatch and can bypass user/admin expectations during approval.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill includes API key lifecycle operations despite being presented as a helper bundle. Key creation, listing, revocation, and deletion are security-sensitive administrative actions that can enable account takeover, secret sprawl, or destructive changes if a user or agent invokes them under false assumptions about the plugin's scope.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Outbound call and campaign control is a high-impact operational capability unrelated to an install/publish helper description. Misuse could trigger unauthorized calling, financial charges, spam/abuse, and reputational or legal exposure, especially because the tools support bulk campaign creation and start/stop control.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Bulk export of conversation history and transcripts for AI training is far outside the declared helper-bundle scope and enables large-scale data exfiltration. Because these exports can include sensitive call content and metadata, the mismatch makes the feature more dangerous by hiding a mass data extraction capability behind an innocuous package description.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Webhook creation and management allow configuration of external event delivery endpoints, which can be used to route operational data outside the platform. In a plugin advertised as a helper bundle, this hidden integration surface increases the risk of covert exfiltration, unauthorized callbacks, and persistence via third-party infrastructure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The markdown instructs users to place a live API key directly into a persistent local configuration file and even provides a realistic key format, but gives no warning about sensitivity, storage risks, rotation, or least-privilege handling. This increases the likelihood of credential leakage through shell history, screenshots, backups, dotfile syncing, or accidental commits, which could enable unauthorized access to the remote voice platform.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
History and transcript retrieval expose potentially sensitive call metadata and full conversation contents, yet the tool descriptions do not prominently warn about privacy impact or safe handling expectations. Although masking exists as a parameter, it is optional and the outputs still facilitate easy disclosure of customer data to the agent or downstream logs.

Missing User Warnings

High
Confidence
98% confidence
Finding
The export tools are specifically designed to return conversation data for AI analysis or training, but they lack strong user-facing privacy disclosure despite handling highly sensitive transcript content at scale. This creates a clear risk of privacy violations, regulatory exposure, and secondary misuse because users may not realize they are exporting customer conversations into training-ready formats.

Vague Triggers

High
Confidence
96% confidence
Finding
The skill defines outbound-call triggers using broad natural-language examples such as generic verbs for 'call' or 'negotiate', which risks mapping ambiguous user utterances to real telephony actions. In a voice/call-management skill with direct calling capability, this can cause unintended outbound calls and downstream disclosure of call results and transcripts without sufficiently explicit user confirmation.

Vague Triggers

High
Confidence
95% confidence
Finding
The instruction that any request to make a call must automatically execute the full workflow is insufficiently constrained and removes opportunities for consent checks, scope validation, or confirmation for risky actions. Because the workflow also retrieves transcripts, saves analytics, and reports results, a mistaken trigger can cascade into privacy and integrity harms beyond simply placing a call.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The workflow instructs the agent to fetch full call transcripts and summarize who answered, what was discussed, and include key quotes, but it does not warn about the privacy sensitivity of conversation contents. In this context, transcript access can expose personal, confidential, or regulated information to a user who may not be authorized to receive it.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The export section describes bulk and single-call export for LLM training and raw formats without warning users about the sensitivity of exported conversation data or the risks of wider retention and reuse. In a call-history platform, exports can enable large-scale exfiltration of transcripts and associated metadata if invoked by an unauthorized or over-broad request.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill directs the agent to report key quotes from transcripts by default, which increases the chance of disclosing sensitive conversation content unnecessarily. Even when a user requested a call outcome, verbatim excerpts can reveal more personal or confidential information than needed to satisfy the request.

Ssd 3

High
Confidence
98% confidence
Finding
The skill explicitly documents that PII masking can be disabled to obtain raw data, creating a clear pathway to expose unredacted personal information from call history and exports. In a system handling phone conversations, this materially raises the risk of privacy violations, insider misuse, and compliance breaches if access controls or user authorization are weak or bypassed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal