ClawHub

VAPI Calls

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it advertises, but it can place real autonomous phone calls and exposes a public webhook while under-disclosing consent, safety, and transcript-retention risks.

Install only if you deliberately want an agent to place real phone calls through your Vapi account. Confirm every recipient, purpose, and legal basis before calling; comply with telemarketing, AI disclosure, and recording/transcription laws; expose the webhook only through a controlled tunnel; monitor Vapi costs; and protect or delete the local call transcript logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill clearly requires sensitive environment variables, network access, and an internet-reachable webhook, yet no explicit permissions declaration is present. This creates a transparency and consent problem: a user or orchestrator may invoke a capability that can place external calls and expose a temporary public endpoint without adequate gating or review.

Description-Behavior Mismatch

Low
Confidence
93% confidence
Finding
The script persistently logs call results to disk under ~/.openclaw/workspace/logs/vapi-calls, which can include sensitive call metadata and, via the result object, transcripts and summaries. Because the skill description does not disclose local storage, this creates an unnecessary privacy and data-retention risk, especially on shared hosts or multi-user systems.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code accepts an arbitrary prompt from argv and injects it directly as the model's system message, allowing callers to redefine assistant behavior beyond the declared calling use cases. In this context, a persuasive phone agent with unrestricted prompt control can be repurposed for deceptive, abusive, or policy-violating calls.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The instruction 'Use this skill to perform any task that requires voice interaction over the phone' is overly broad and can cause the agent to select this skill for many loosely related requests. In context, that means an autonomous system could trigger real outbound calls for persuasion, sales, bookings, reminders, or notifications with insufficient narrowing, increasing the risk of unintended contact, spam-like behavior, privacy violations, and social-engineering misuse.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill description and usage guidance do not prominently warn that it performs autonomous outbound phone calls and sends call content/metadata to an external provider (Vapi) via API and webhook flows. Because the skill handles phone numbers, call missions, greetings, and transcripts/reports, missing disclosure materially increases privacy, consent, and compliance risk, especially for third-party recipients who did not directly authorize AI-mediated contact.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script writes transcripts and summaries from completed calls to a local JSON log without any consent flow or disclosure in the file. Voice transcripts often contain personal or sensitive information, so undisclosed persistence materially increases privacy, compliance, and insider-access risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal