Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
clawcall-phone
v2.0.9Give this agent a real phone number. Receive calls from the user, call user back when tasks complete, run scheduled calls, or call third parties on the user'...
⭐ 0· 287·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
OpenClaw
Benign
high confidencePurpose & Capability
Name/description (phone calls, callbacks, scheduled and third‑party calls) align with requested binaries (node, openclaw) and required env vars (CLAWCALL_API_KEY, CLAWCALL_EMAIL). The primary credential is the API key, which is expected for a telephony service.
Instruction Scope
SKILL.md confines network traffic to https://api.clawcall.online and optionally a local webhook. It instructs registering via the service, storing returned API key/email, and running a Node listener that polls for inbound calls and invokes the local OpenClaw CLI (or posts to a local HTTP agent). These behaviors match the stated purpose, but the skill does recommend running a long‑running background process and storing credentials as environment variables—users should consent and be comfortable running that process.
Install Mechanism
Instruction-only install (no downloads or external installers). The shipped listener is a small Node script included in the bundle; no third‑party downloads or archive extraction are performed during install.
Credentials
Only CLAWCALL_API_KEY and CLAWCALL_EMAIL are required (primaryEnv set to CLAWCALL_API_KEY). No unrelated credentials or broad filesystem/config path access are requested.
Persistence & Privilege
always:false and user-invocable:true. The skill requires running a long‑lived listener process (user-started or started by the agent with user consent). This persistent listener is necessary for inbound call delivery but gives the process ongoing network access while running.
Assessment
This skill appears internally consistent with providing phone-call capabilities, but before installing: 1) Verify you trust the ClawCall service (https://api.clawcall.online) since the skill registers your phone and stores an API key that grants telephony access. 2) Protect the returned CLAWCALL_API_KEY and CLAWCALL_EMAIL (do not paste them to unknown places). 3) Review the included listener script (listener/clawcall-listener.js) — it only talks to the declared API and invokes the OpenClaw CLI or a local webhook, but running it starts a background process that will poll the network. 4) If you prefer tighter control, run the listener manually in a terminal (do not let the agent start it), or set CLAWCALL_AGENT_URL to your own local HTTP handler to avoid spawnSync usage. 5) Monitor billing/overage on the service and stop the listener when not needed. If you are uncertain about running persistent background services, consider running the code in an isolated environment (container or VM) and inspect network traffic during initial use.listener/clawcall-listener.js:151
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
callingvk97ahy4cta5nk2b6w54gtyr8w582hk7alatestvk978bs62snrkpgy33wakak1eyx84c0p9openclawvk97ahy4cta5nk2b6w54gtyr8w582hk7aphonevk97ahy4cta5nk2b6w54gtyr8w582hk7atwiliovk97ahy4cta5nk2b6w54gtyr8w582hk7avoicevk97ahy4cta5nk2b6w54gtyr8w582hk7a
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binsnode, openclaw
EnvCLAWCALL_API_KEY, CLAWCALL_EMAIL
Primary envCLAWCALL_API_KEY