KallyAI Executive Assistant
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: kallyai Version: 2.0.0 The KallyAI skill is classified as suspicious due to its broad and powerful capabilities, which present a significant attack surface for prompt injection and potential abuse of legitimate functions. Key indicators include the ability to send arbitrary emails (`actions email send`), make calls to any number (`calls make`), and perform open-ended 'errands' (`actions errand`) via natural language input. Additionally, the `inbound import-contacts <file>` command could be exploited via prompt injection to read local files. While these functions are central to an 'AI Executive Assistant,' their combination with natural language interfaces (`kallyai ask`) creates a high risk of an AI agent being tricked into performing unintended or harmful actions, such as phishing or data exposure, without clear evidence of intentional malicious design within the skill itself.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or over-broad request could cause the assistant to call or message third parties, make reservations, order services, or start outreach with real-world consequences.
The skill delegates many high-impact real-world actions to an external CLI/service, including communications, bookings, orders, bills, and outreach, but the provided instructions do not clearly require user confirmation or scoped approvals for those actions.
handles phone calls (outbound + inbound), email, bookings, research, errands, multi-channel messaging... handle bills, order food/rides... run outreach campaigns... any delegation task
Only use this skill with explicit task boundaries. The skill should add clear approval requirements before external communications, purchases, bookings, account changes, or multi-recipient outreach.
Installing or using the skill may give the service access to sensitive accounts or communication channels beyond what a user expects from a single task.
The skill requires delegated account authentication, but the artifacts do not clearly define the full OAuth scopes or how those credentials relate to the broad email, messages, calls, channels, calendar, and billing/order capabilities.
User signs in with Google or Apple → receives access token... Authentication: Authorization: Bearer <access_token>... For CLI, authentication is automatic
Review the actual OAuth consent screen and requested scopes before use, prefer least-privilege accounts, and revoke access when no longer needed.
The assistant could continue answering or routing calls after setup, which may affect personal or business communications if not closely managed.
The skill describes persistent phone-number, forwarding, routing, and inbound receptionist behavior that may continue beyond a single user request, without clearly shown expiry or disable controls in the provided artifact.
View incoming calls handled by AI receptionist... manage routing rules, voicemails, contacts... Provision numbers, set up forwarding, manage caller ID
Use persistent inbound-call features only after confirming how to review, pause, disable, and audit all phone numbers, forwarding rules, and receptionist settings.
Users must trust the external CLI package to handle credentials and commands safely.
The skill depends on an external pip-installed CLI that was not included in the provided artifact set. This is aligned with the skill's purpose, but its implementation and provenance are outside this review.
"requires":{"bins":["kallyai"]},"install":[{"id":"pip","kind":"pip","package":"kallyai-cli","bins":["kallyai"],"label":"Install via pip"}]Verify the package publisher, source, version, and permissions before installing or running the CLI.
Private messages, call details, transcripts, and task instructions may be processed or stored by the KallyAI service.
The skill sends tasks to and retrieves sensitive communications from an external provider, including inbox data and call transcripts. This is expected for the stated service, but users should notice the privacy implications.
Base URL: https://api.kallyai.com... kallyai messages inbox... kallyai calls transcript... kallyai inbound transcript
Avoid sending highly sensitive information unless you trust the provider's privacy, retention, and deletion practices.