VAPI Calls

This skill appears to do what it says (make autonomous phone calls), but take these precautions before installing/using it: - Understand the network exposure: you must provide a publicly reachable WEBHOOK_BASE_URL (via ngrok, Cloudflare Tunnel, or a public server). That means inbound traffic will reach a server running on your machine; only do this from systems you control and trust. - Protect the API key: VAPI_API_KEY is sent in Authorization headers to api.vapi.ai. Treat it as a secret — use an account/key with limited scope and rotate/revoke keys if needed. - Verify the source: SKILL.md references a GitHub repo, but the skill's homepage/source are listed as unknown. If you plan to use it in production, inspect the repository or author history to confirm authenticity. - Packaging mismatch: SKILL.md asks for pip 'requests' and the code is Python, but package.json lists an npm dependency and a postinstall chmod. This is likely harmless leftover, but verify installation steps and avoid running untrusted package managers or scripts without review. - Legal and ethical considerations: automated calls (sales, persuasion) have regulatory and consent implications in many jurisdictions. Ensure recipients have provided consent and you understand applicable laws and platform billing. - Isolation: run first in an isolated/test environment (VM/container) and use ephemeral/test credentials. Check the logs written under ~/.openclaw/workspace/logs/vapi-calls to confirm expected behavior. If any of the above is unacceptable or you cannot verify the upstream source, treat the skill as untrusted and do not provide production credentials or expose sensitive systems to it.