ClawHub

Bland

v1.0.0

Place and manage AI-driven phone calls, access transcripts, recordings, call status, and configure inbound call agents via the Bland AI API.

0· 302·1 current·1 all-time
by@0xrichyrich
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the included script and SKILL.md: the script calls https://api.bland.ai/v1 to place and manage calls. However the skill metadata declares no required environment variables or binaries while both the SKILL.md and the script clearly expect a BLAND_API_KEY and rely on command-line tools (curl, jq) that are not listed as required. This mismatch is likely an oversight but is disproportionate to the stated metadata.
Instruction Scope
SKILL.md and the script confine actions to calling Bland's API endpoints and local .env lookup. The runtime instructions and script do not include broad file collection, unrelated network destinations, or commands that modify other skills or system configuration beyond reading a .env file and making HTTP requests.
Install Mechanism
No install spec (instruction-only with a bundled script). There are no remote downloads or archive extraction; the only code is the provided shell script, so install risk is low. However the script will be executed on the host, so missing dependency declarations matter.
!
Credentials
The script requires a BLAND_API_KEY (and SKILL.md documents BLAND_API_KEY in /root/clawd/.env) but the skill registry metadata lists no required environment variables or primary credential. The script also attempts to read /root/clawd/.env and a .env relative to the script; reading a root-level .env is sensitive because it may contain other secrets. Additionally, the script assumes presence of system utilities (curl, jq) that are not declared. These gaps increase the chance of accidental credential exposure or execution failures.
Persistence & Privilege
The skill is not always-enabled and does not request special persistent privileges. It does not modify other skills' configs or system-wide settings in the provided code.
What to consider before installing
This skill's behavior (making phone calls via Bland's API) is consistent with its description, but before installing: 1) confirm you want to provide a BLAND_API_KEY and that the key is only for the Bland service; 2) inspect the script yourself (it's included) and ensure it only calls the documented API endpoints; 3) be aware it reads /root/clawd/.env (which may contain other secrets) — consider storing the Bland key in a dedicated, restricted location or setting BLAND_API_KEY in the environment instead; 4) make sure required utilities (curl, jq) are installed and that you accept the cost and privacy implications of placing outbound/inbound calls and storing transcripts/recordings; and 5) ask the publisher to update the registry metadata to declare BLAND_API_KEY and required binaries (curl, jq) to remove the mismatch. If you cannot verify these, treat the skill as untrusted.

Like a lobster shell, security has layers — review code before you run it.

latestvk970gqr50c51yww39ez7czy4h5824cww

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments