Back to skill

Security audit

VAPI Calls

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it advertises, but it can place real autonomous phone calls and keeps sensitive call records with limited safety and consent controls.

Install only if you deliberately want an agent to place real calls through your Vapi account. Confirm the recipient, purpose, cost, and legal basis before each call; comply with AI disclosure, telemarketing, and recording/transcription rules; expose the webhook only through a controlled tunnel; and regularly review or delete the local call logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill declares powerful capabilities through required environment variables, webhook exposure, Python execution, outbound HTTP requests, and temporary server behavior, but does not explicitly declare permissions. This creates a transparency and consent gap: users may install or invoke a skill that can access secrets, write files/runtime artifacts, and communicate over the network without clear permission signaling.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The script persistently stores call results under ~/.openclaw/workspace/logs/vapi-calls, and those results may include transcripts, summaries, phone metadata, and other sensitive call content. For a phone assistant skill, local logging may be operationally useful, but storing this data by default without minimization, retention limits, or access controls creates unnecessary privacy and data exposure risk.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The instruction 'Use this skill to perform any task that requires voice interaction over the phone' is overly broad and can cause the agent to select this skill for many ordinary tasks without emphasizing that it places autonomous outbound calls to third parties. In this context, over-triggering is risky because invocation can incur real-world actions, privacy exposure, harassment/spam, or unintended contact with external people.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description and guidance do not prominently warn that the tool will autonomously place outbound phone calls and conduct conversations with third parties. In a calling/persuasion/sales context, the absence of a clear warning increases the chance of accidental or uninformed use, with potential privacy, consent, legal, reputational, and financial consequences.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The manifest explicitly advertises autonomous AI phone calls but does not mention user consent, approval gates, recipient authorization, or call-use restrictions. In a telephony skill, missing consent and control language increases the risk of unauthorized outbound calls, spam, harassment, or social-engineering misuse, especially because the skill is designed for persuasion and sales contexts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code writes full call results to disk, including transcript and summary fields populated from the end-of-call report, without any user-facing notice or consent mechanism. This increases the risk of privacy violations and secondary disclosure if the host system is shared, backed up, or later compromised.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The outbound API request sends the callee phone number and assistant prompt content to a third-party service, which is inherent to the feature but still a privacy-relevant external data transfer. In the context of a voice-calling assistant, this transmission is expected, yet it becomes risky when users are not clearly informed what data leaves the local environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.