Lunara Voice
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: lunara-voice Version: 1.0.0 The skill bundle is suspicious due to a significant prompt injection vulnerability that could lead to information disclosure, primarily stemming from the instructions in `plugin/skills/lunara-voice/SKILL.md`. This markdown file dictates an 'Autonomous Execution' workflow for outbound calls, instructing the AI agent to make calls to user-specified numbers (via `lunara_call_single`), silently poll for completion, retrieve the full call transcript (via `lunara_history_detail` with `include_transcript=true`), and then report a summary including 'key quotes' from the transcript back to the user. This allows an attacker to prompt the agent to call sensitive numbers and exfiltrate the entire conversation content. Additionally, the `plugin/index.ts` exposes a `lunara_webhook_create` tool, enabling the agent to configure webhooks to arbitrary HTTPS URLs, which could be leveraged for data exfiltration if the agent is compromised.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A simple request to call someone can trigger a real phone call, repeated background polling, transcript retrieval, analytics saving, and tagging before the user gets another response.
The skill forces a fixed tool sequence and silent polling for any outbound-call request, rather than requiring an explicit confirmation point or letting the user control the stop conditions.
AUTONOMOUS EXECUTION ... Whenever the user asks to call someone ... you MUST complete ALL steps below in ONE turn ... Do NOT message the user — poll silently.
Require explicit user confirmation before placing calls or campaigns, and let users choose whether to poll, analyze, tag, or retrieve transcripts afterward.
A mistaken or overly broad instruction could start calls to many recipients, affecting costs, compliance, and recipient privacy.
The tools can initiate bulk outbound calling at large scale, but the artifacts do not describe approval gates, contact validation, rate limits, or safe defaults for campaign execution.
`lunara_campaign_create` — Create a call campaign with contacts ... `lunara_campaign_start` — Start a campaign's call loop ... Max contacts per campaign: 10,000
Add explicit confirmation for every outbound call and campaign start, show contact counts before execution, and define safe limits and cancellation steps.
The agent may be able to create, list, revoke, or permanently delete Lunara API keys for the configured account.
The plugin uses configured account identity information to administer API keys, including irreversible deletion. This is high-impact account authority.
`X-User-Email`: cfg.userEmail ... `lunara_key_create` ... `lunara_key_revoke` ... `lunara_key_delete` ... `Permanently delete a Lunara API key. This action cannot be undone.`
Use a least-privilege API key, avoid enabling key-management functions unless needed, and require explicit confirmation before creating, revoking, or deleting credentials.
Private call content and personal data can be brought into the agent conversation or exported for training workflows.
The plugin can retrieve and export call transcripts, including raw unmasked data when requested. This is purpose-aligned, but transcripts may contain sensitive personal or business information.
`lunara_history_detail` | Get full call detail + transcript + tags ... `lunara_export_bulk` | Bulk export conversations for LLM training ... Set mask_pii=false to get raw data.
Keep PII masking enabled by default, export only selected conversations, and avoid sharing raw transcripts unless necessary.
Call and campaign event data may be sent to external webhook endpoints after setup.
Webhook subscriptions are an expected integration feature, but they create persistent outbound event flows to configured URLs.
`lunara_webhook_create` | Create webhook for real-time call event notifications ... Webhook events: call.started, call.completed, call.failed, analysis.completed, campaign.started, campaign.completed, campaign.failed
Create webhooks only for trusted HTTPS endpoints, review subscribed event types, and remove unused webhook subscriptions.