AnveVoice
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
AnveVoice is purpose-aligned, but it asks users to grant broad AnveVoice account access while handling sensitive visitor voice and lead data through external services.
Install only if you trust AnveVoice with visitor voice conversations and lead data. Use the narrowest possible API key, avoid the README's Full Access recommendation unless necessary, test on a staging site first, and require explicit approval before deleting bots, changing live assistants, or retrieving recordings/leads.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent uses a full-access key, it may be able to read sensitive leads/recordings/analytics and change or delete bots beyond the user's immediate request.
An API key is expected for this service, but recommending Full Access during setup grants broader account authority than necessary for many tasks.
Select permissions (recommended: Full Access)
Use narrowly scoped API keys such as analytics:read, bots:write, leads:read, or embed:read as needed, and avoid Full Access unless the user explicitly needs all administrative capabilities.
A mistaken or overly broad instruction could alter a live website assistant, delete a bot, or expose visitor lead/recording data.
The documented toolset includes destructive account operations and sensitive reads. This is purpose-aligned, but it should be controlled by clear user approval.
`create_bot`, `update_bot`, `clone_bot`, `delete_bot` ... `extract_leads` ... `list_session_recordings`, `get_session_recording`
Require explicit confirmation before delete/update actions, before extracting leads or recordings, and before making changes that affect a live website.
Visitor speech, transcripts, and contact details may be stored and later reviewed or used for analysis, which creates privacy and compliance obligations.
The skill stores and processes visitor conversations and related metadata, which can become persistent context for analytics, review, and bot operation.
This skill handles sensitive voice data: Voice recordings from website visitors; Conversation transcripts; Contact information ... Browser metadata for analytics
Publish a clear privacy notice, obtain consent before recording, configure retention appropriately, and avoid PHI/payment data unless the required legal and security agreements are in place.
Users must trust the AnveVoice/Supabase backend and the hosted widget code that will run on their website and process visitor voice data.
The skill depends on external hosted APIs and a remote widget script that are not present in the reviewed artifact set.
MCP API `aaxlcyouksuljvmypyhy.supabase.co` ... Widget CDN `anvevoice.com/embed.js`
Review the provider, verify domains, monitor changes to the hosted script/API, and test in staging before deploying to production.
Users could overestimate what has been independently verified if they treat the badge as proof that the whole integration is safe.
The VirusTotal claim applies to SKILL.md, not to the remote widget script, Supabase backend, or any future hosted code changes.
VirusTotal Verification ... Detection Rate 0/62 ... File SKILL.md
Treat the VirusTotal badge as limited evidence only, and assess the live service, hosted scripts, credential scopes, and compliance needs separately.