Mobayilo Voice (Beta)
PassAudited by ClawScan on May 10, 2026.
Overview
Mobayilo Voice is coherent for guarded outbound calling and defaults to preview mode, but users should carefully control live-call execution and verify the Mobayilo CLI setup.
Before installing, verify the moby CLI installer and binary, configure MOBY_REQUIRE_APPROVAL=1 or another human-approval gate for real calls, keep dry-run for testing, and clean up local status/log files if account metadata is sensitive.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a workflow or agent sets execute=true, the skill can place a real outbound phone call using the configured Mobayilo account.
The skill exposes a callable action that can pass a destination and execute flag to the phone-call adapter. This is central to the skill's purpose and dry-run is the default, but live execution is a high-impact operation.
start_call: run: python integrations/mobayilo_voice/actions/start_call.py --destination "{{destination}}" --country "{{country}}" ... {{#if execute}}--execute{{/if}}Keep dry-run as the default, require human confirmation or MOBY_REQUIRE_APPROVAL=1 for live calls, and only pass trusted/validated destination values.
Calls may use the user's Mobayilo identity, caller ID, and account balance.
The skill relies on the user's authenticated Mobayilo CLI/account to check status, balance, and place calls. That account authority is expected for the integration but should be treated as sensitive.
Real call execution still requires installed/authenticated `moby` CLI + desktop audio path.
Use an account intended for automation, monitor balance and call logs, and avoid sharing the authenticated CLI environment with untrusted workflows.
Users who follow the runbook will execute code fetched from Mobayilo's CLI distribution endpoint.
The documented setup path is a user-directed remote installer and self-update flow. This is relevant to installing the required CLI, but it is not pinned in the artifacts.
curl -fsSL https://mobycli.mobayilo.com/install.sh | sh moby self-update
Verify the installer source, prefer signed or pinned releases where available, and review the installer before running it in sensitive environments.
Account status, balance, email, or caller-ID metadata could remain on the local machine after verification.
The verification script writes auth-status and balance output to predictable local /tmp files and prints them. This is local and user-directed, but those outputs may include account metadata.
"$cli_path" auth status --json >/tmp/moby_auth_status.json ... "$cli_path" balance --json >/tmp/moby_balance.json
Run verification only on trusted machines, restrict local file access where needed, and delete temporary status files after use.
Call-progress metadata depends on a local service boundary; other local processes could affect or observe this boundary if the desktop agent is not properly isolated.
The adapter polls a localhost desktop agent endpoint for call state. This is purpose-aligned for the local audio/agent workflow, but the artifact does not show an authentication check for that localhost API.
url = f"http://127.0.0.1:7788/v1/calls/{call_id}" ... urllib.request.urlopen(req, timeout=2)Ensure the Mobayilo desktop agent binds only to localhost, uses appropriate local protections, and is run only on trusted workstations.