VAPI Calls
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: vapi-calls Version: 1.0.0 The skill is classified as suspicious primarily due to its explicit requirement for the user's machine to be publicly reachable from the internet via a webhook URL and port (default 4430), as detailed in `SKILL.md` and implemented in `scripts/vapi_calls.py`. While this is necessary for the skill's stated purpose of receiving real-time call updates from Vapi.ai, it introduces a significant security risk by exposing a port on the user's machine to the internet. The skill otherwise appears to function as described, making API calls to `https://api.vapi.ai` and logging call results locally, without evidence of intentional malicious behavior like data exfiltration to unauthorized endpoints, persistence mechanisms, or direct prompt injection against the OpenClaw agent.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could call the wrong person, make unwanted sales or persuasion calls, incur telephony/AI costs, or create legal and reputational issues if invoked too broadly.
This gives the agent authority to start an outbound AI phone call to a supplied recipient and define the call mission. The artifacts do not require explicit per-call approval, allowed-recipient limits, consent checks, rate limits, or cost confirmation.
Capable of persuasion, sales, restaurant bookings, reminders, and notifications ... make_vapi_call ... Triggers an autonomous AI phone call ... phone_number ... system_prompt
Require explicit user approval before every call, show the exact number and mission, restrict allowed purposes and recipients, add rate/cost limits, and document consent/do-not-call compliance expectations.
A reachable webhook could be abused to inject fake call reports, prematurely complete a call flow, or poison stored/output call data if the call identifier is exposed or guessed.
The webhook server listens on all interfaces and processes JSON POST bodies using only a call-id comparison. No webhook signature, shared secret, path restriction, or authentication check is shown, even though the skill instructs users to expose the webhook to the internet.
server = HTTPServer(('0.0.0.0', WEBHOOK_PORT), WebhookHandler) ... body = json.loads(self.rfile.read(content_length)) ... if call_id == expected_call_id:Validate Vapi webhook signatures or a shared secret, reject missing call IDs, restrict accepted paths, bind locally when using a tunnel, and fail closed on unauthenticated webhook data.
Sensitive phone-call contents may remain on disk and could be read later by users, tools, backups, or other processes with access to the OpenClaw workspace.
End-of-call transcripts and summaries are persisted to local JSON log files. The SKILL.md usage instructions do not disclose retention, redaction, opt-out, or cleanup behavior.
"transcript": message.get("transcript", ""), "summary": message.get("summary", "") ... log_dir = os.path.expanduser("~/.openclaw/workspace/logs/vapi-calls") ... json.dump(result, f, indent=2)Clearly disclose transcript logging, provide an option to disable or redact logs, document retention and cleanup, and avoid storing sensitive call content unless the user explicitly wants it.
Anyone or any agent flow that can invoke the skill with these credentials may be able to place calls through the user's Vapi account and incur charges.
These credentials are expected for a Vapi calling integration, but they grant delegated authority to use the user's Vapi assistant and phone number.
`VAPI_API_KEY`: Your Vapi Private API Key ... `VAPI_ASSISTANT_ID` ... `VAPI_PHONE_NUMBER_ID`: The ID of the Vapi Phone Number.
Use a dedicated, least-privileged Vapi key if available, monitor usage and costs, rotate the key if exposed, and restrict which workflows may invoke the calling tool.
Installing through npm-style workflows may execute a local chmod command and resolve a dependency version from the package ecosystem.
The package includes a postinstall command and a range dependency. The postinstall action is limited to making the included script executable and appears purpose-aligned, but it is still install-time behavior users should notice.
"postinstall": "chmod +x scripts/vapi_calls.py" ... "dependencies": { "requests": "^2.31.0" }Declare the install behavior in registry metadata, pin dependencies or provide a lockfile, and keep the postinstall step limited and auditable.