KallyAI Executive Assistant (Claude Code)
WarnAudited by ClawScan on May 10, 2026.
Overview
KallyAI is not shown to be malware, but it can take broad real-world actions like calls, emails, bookings, outreach, and billing-related tasks with limited visible safeguards.
Install or use this only if you trust KallyAI to act on your behalf across calls, email, messages, bookings, and account-management tasks. Prefer explicit, narrow prompts; confirm budgets and side effects; monitor goals and histories; avoid large outreach or billing changes without manual review; and log out or revoke tokens on shared or untrusted devices.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A broad or misunderstood prompt could cause the assistant to place calls, send emails or messages, make bookings, run outreach, or spend service credits on the user’s behalf.
The preferred command can automatically trigger side-effecting tools such as calls and emails, and the visible documentation does not clearly require per-action approval before those real-world actions occur.
For most requests, use `ask` — it routes through the coordination AI automatically. ... Routes through coordination AI. Creates goals, makes calls, sends emails — whatever is needed.
Use explicit instructions, set budgets, review goals before execution, and require confirmation before calls, emails, purchases, outreach, bookings, subscription, or billing changes.
One incorrect instruction or misinterpreted request could cascade into multiple external actions rather than a single reversible step.
The API is designed to turn one natural-language message into goals and downstream actions, which can propagate mistakes across calls, email, bookings, and other channels if not tightly controlled.
Send a natural language message to the coordination AI. Automatically creates goals and dispatches actions.
Start with status/read-only commands, inspect created goals, use cancel/escalate controls, and avoid open-ended delegation unless you are ready for multi-step execution.
Anyone who can read that token file may be able to access the user’s KallyAI account until the token is revoked or logout clears it.
The CLI persists OAuth tokens locally, including a refresh token. The file permission is restrictive, and this is expected for login, but it remains a sensitive credential.
TOKEN_FILE = Path.home() / ".kallyai_token.json" ... "refresh_token": refresh_token ... TOKEN_FILE.chmod(0o600)
Only use this on a trusted machine, keep the home directory protected, run the documented logout command when finished, and revoke access if the device is lost or shared.
Private emails, messages, call transcripts, recordings, goals, and conversation history may be available through the KallyAI account and API.
The service can access sensitive communications and stored interaction records. This fits the assistant purpose, but users should understand the sensitivity of the data involved.
| `email:read` | Read email messages | | `transcripts:read` | Read call transcripts | | `recordings:read` | Access call recordings |
Avoid delegating highly sensitive matters unless you trust the service’s data handling, and periodically review stored messages, call logs, transcripts, and account permissions.
Users have fewer signals to confirm who maintains the CLI code or where to get trusted setup instructions.
The package provenance and homepage are not supplied, and there is no install specification even though executable Python files are included. No hidden install behavior is shown, but users have less provenance information to verify.
Source: unknown Homepage: none No install spec — this is an instruction-only skill.
Verify the publisher and API domain before authenticating, inspect the included script before running it, and install any missing Python dependencies only from trusted package sources.