phone calling
v1.0.7Make international phone calls to any country. Low per-minute rates. Pay with PayPal or UPI.
⭐ 3· 1.7k·2 current·2 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's name/description (international phone calls) aligns with the provided OpenAPI and guides (calls, billing, transcriptions, webhooks). However, the registry metadata declares no required credentials or env vars while multiple guides repeatedly instruct using an API key (RINGEZ_API_KEY / Authorization: Bearer <key>) and agent-specific headers. That omission is an inconsistency (likely an authoring oversight) and should be clarified.
Instruction Scope
The SKILL.md and other docs instruct the agent to: create/store session IDs, use API keys, manage payments, enable real-time transcription, host webhook endpoints and secrets, and verify webhook signatures. These are legitimate for a telephony integration but expand the agent's operational scope far beyond a simple 'make a call' instruction. There's also a contradictory claim ('without requiring authentication or personal data') alongside explicit API key-based authentication — a direct contradiction that needs resolution.
Install Mechanism
This is an instruction-only skill with no install spec and no code files to execute. That is the lowest-risk install model (nothing is written to disk by the skill package itself).
Credentials
Although the registry lists no required env vars, the docs repeatedly instruct storing and using secret API keys (sk_live_...), webhook secrets, and payment tokens. Requesting those secrets would be proportionate for a calling service, but the skill metadata should declare them. The mismatch makes it unclear what credentials the agent will actually request or need at runtime.
Persistence & Privilege
The skill is not marked always:true and does not request special platform privileges. Still, the integration patterns require running webhook servers and long-lived secrets (webhook_secret, API keys) which create persistent networking exposure and a larger blast radius if keys are leaked. This is expected for webhook-based services but worth noting.
What to consider before installing
What to check before installing or using this skill:
- Verify the vendor: the docs use ringez-api.vercel.app and support@ringez.com; confirm Ringez is a legitimate service (website, company, reviews) before sharing keys or payment tokens.
- Expect to supply secrets: the guides require an API key (RINGEZ_API_KEY / Authorization: Bearer), webhook secret, and payment tokens. The registry metadata not declaring these is an inconsistency—ask the author to clarify required env vars and minimal scopes.
- Use least-privilege/test keys: if you try the skill, use sandbox/test API keys, set strict rate/spend limits, and avoid exposing production billing keys until you're confident.
- Webhook caution: the skill’s examples instruct you to host webhook endpoints and store webhook secrets. Hosting endpoints exposes your network and requires correct signature verification; if you accept this skill, make sure your webhook handling verifies signatures and keeps secrets off public logs.
- Monitor billing and logs: allow only small initial spend, monitor for unexpected calls, and rotate keys if anything looks suspicious.
- Ask for clarification: request that the publisher update the registry metadata to list required env vars and explain the contradictory statement about authentication. If they cannot clarify, treat the mismatch as a red flag.
Overall: the content looks like a real calling API, not obviously malicious, but the omissions and contradictions around credentials and authentication elevate the risk — proceed only after verifying the service and using test/limited credentials.Like a lobster shell, security has layers — review code before you run it.
latestvk97062ch1pq96m8xr1pbv5rrp980vt3g
License
MIT-0
Free to use, modify, and redistribute. No attribution required.