VAPI Calls
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
The skill appears to call Vapi as advertised, but it can autonomously call arbitrary phone numbers, expose a public webhook, and persist call transcripts without enough safeguards.
Install only if you are comfortable giving the agent authority to place phone calls through your Vapi account. Before use, require manual confirmation for each call, verify the number and mission, understand legal/consent obligations, secure the public webhook, and decide whether transcript logs should be kept or disabled.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could call the wrong person, make unwanted sales or persuasion calls, incur telephony/AI costs, or create legal and reputational issues if invoked too broadly.
This gives the agent authority to start an outbound AI phone call to a supplied recipient and define the call mission. The artifacts do not require explicit per-call approval, allowed-recipient limits, consent checks, rate limits, or cost confirmation.
Capable of persuasion, sales, restaurant bookings, reminders, and notifications ... make_vapi_call ... Triggers an autonomous AI phone call ... phone_number ... system_prompt
Require explicit user approval before every call, show the exact number and mission, restrict allowed purposes and recipients, add rate/cost limits, and document consent/do-not-call compliance expectations.
A reachable webhook could be abused to inject fake call reports, prematurely complete a call flow, or poison stored/output call data if the call identifier is exposed or guessed.
The webhook server listens on all interfaces and processes JSON POST bodies using only a call-id comparison. No webhook signature, shared secret, path restriction, or authentication check is shown, even though the skill instructs users to expose the webhook to the internet.
server = HTTPServer(('0.0.0.0', WEBHOOK_PORT), WebhookHandler) ... body = json.loads(self.rfile.read(content_length)) ... if call_id == expected_call_id:Validate Vapi webhook signatures or a shared secret, reject missing call IDs, restrict accepted paths, bind locally when using a tunnel, and fail closed on unauthenticated webhook data.
Sensitive phone-call contents may remain on disk and could be read later by users, tools, backups, or other processes with access to the OpenClaw workspace.
End-of-call transcripts and summaries are persisted to local JSON log files. The SKILL.md usage instructions do not disclose retention, redaction, opt-out, or cleanup behavior.
"transcript": message.get("transcript", ""), "summary": message.get("summary", "") ... log_dir = os.path.expanduser("~/.openclaw/workspace/logs/vapi-calls") ... json.dump(result, f, indent=2)Clearly disclose transcript logging, provide an option to disable or redact logs, document retention and cleanup, and avoid storing sensitive call content unless the user explicitly wants it.
Anyone or any agent flow that can invoke the skill with these credentials may be able to place calls through the user's Vapi account and incur charges.
These credentials are expected for a Vapi calling integration, but they grant delegated authority to use the user's Vapi assistant and phone number.
`VAPI_API_KEY`: Your Vapi Private API Key ... `VAPI_ASSISTANT_ID` ... `VAPI_PHONE_NUMBER_ID`: The ID of the Vapi Phone Number.
Use a dedicated, least-privileged Vapi key if available, monitor usage and costs, rotate the key if exposed, and restrict which workflows may invoke the calling tool.
Installing through npm-style workflows may execute a local chmod command and resolve a dependency version from the package ecosystem.
The package includes a postinstall command and a range dependency. The postinstall action is limited to making the included script executable and appears purpose-aligned, but it is still install-time behavior users should notice.
"postinstall": "chmod +x scripts/vapi_calls.py" ... "dependencies": { "requests": "^2.31.0" }Declare the install behavior in registry metadata, pin dependencies or provide a lockfile, and keep the postinstall step limited and auditable.