clawcall-phone
WarnAudited by ClawScan on May 18, 2026.
Overview
This phone skill is mostly aligned with its purpose, but it routes live phone input into the local agent and has a Windows shell-execution path that could make caller-controlled text unsafe.
Review before installing, especially on Windows. If you use it, prefer the local HTTP bridge, keep sensitive OpenClaw actions behind confirmation, protect the ClawCall API key, avoid storing secrets in USER.md or MEMORY.md, and remember that calls, transcripts, recordings, and overage charges may involve external services.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted or mis-transcribed call message could potentially execute unintended local commands on Windows systems.
The `message` value comes from an inbound phone call and is passed to a spawned command. On Windows, enabling a shell around caller-controlled text can allow shell metacharacters to be interpreted.
spawn("openclaw", ["agent", "--session-id", callSid, "--message", message, "--json"], { shell: process.platform === "win32", ... })Avoid `shell: true` for caller-controlled arguments; resolve the OpenClaw executable directly, use `execFile`/`spawn` without a shell, or strictly escape and validate all arguments.
Anyone who can successfully reach the configured phone line may be able to influence what the local agent does or says.
The core design intentionally lets phone callers send instructions into the agent. This is purpose-aligned, but it is a broad control surface.
the listener polls ClawCall for you and passes each caller's speech directly to this agent via `--message`
Use caller allowlisting, keep sensitive OpenClaw actions behind confirmation, and prefer the limited local bridge for live calls rather than the full agent CLI path.
Anyone with the API key may be able to use or manage the associated phone-call service.
The skill requires an API key and recovery email for the ClawCall account, which is expected for a telephony service but grants account-level access.
"env": ["CLAWCALL_API_KEY", "CLAWCALL_EMAIL"], "primaryEnv": "CLAWCALL_API_KEY"
Store these environment variables securely, rotate the key if exposed, and avoid sharing logs or shell profiles containing the key.
Private profile, memory, task, or schedule details may be included in prompts and indirectly revealed during phone calls.
The bridge reads local profile and memory files, and can also summarize cron jobs and tasks for use in phone replies.
readTextSafe(path.join(WORKSPACE, "USER.md")); ... wantsMemory ? readTextSafe(path.join(WORKSPACE, "MEMORY.md")) : ""
Do not store secrets in these files, review what the phone bridge can read, and limit memory/task exposure if callers are not fully trusted.
Phone numbers, transcripts, replies, and recordings may be processed or stored by the external calling service.
The telephony provider and ClawCall service handle call recordings/transcripts. This is expected, but it means call content leaves the local machine.
Call recordings are stored as `.mp3` files hosted by Twilio. Retrieve URLs via `GET /api/v1/calls/history?transcripts=true`
Review ClawCall/Twilio privacy and retention practices before discussing sensitive information over calls.
The agent can continue receiving and responding to phone calls in the background while the listener is running.
The listener is a long-running polling process. It is disclosed and necessary for receiving calls, but it persists until stopped.
while (true) { ... request("GET", "/api/v1/calls/listen?timeout=15"); ... }Run only one listener when needed, stop it when phone access should be disabled, and monitor logs for unexpected calls.