Openclaw Voice Gpt Realtime

The skill's code, configuration, and instructions are internally consistent with a Twilio + OpenAI Realtime voice-calling plugin; required credentials and files align with the stated purpose, though a few implementation notes and minor mismatches are worth checking before install.

What to consider before installing: - Credentials: You must provide a Twilio Account SID and Auth Token, a Twilio voice-capable phone number, and an OpenAI API key with Realtime access. These are stored in the plugin configuration (not as environment variables) — treat them as sensitive. - Runtime & install: The package is distributed via the registry, but the runtime requires Bun (the code uses Bun-specific APIs). Make sure Bun is installed and available; installing via npm alone does not satisfy this requirement. - Public webhook: Twilio requires a publicly reachable HTTPS origin. You must set up a tunnel (ngrok/Cloudflare/Tailscale) and configure publicUrl to an HTTPS origin (the plugin enforces public origin-only and rejects localhost/private hosts). - Local data & debugging: Call metadata is persisted under ~/.openclaw/voice-calls-realtime (calls.jsonl). Enabling debug mode causes raw audio recordings and transcripts to be written there. The plugin states it writes files with restrictive permissions, but if you are concerned about stored audio/transcripts, do not enable debug or periodically remove that directory and review permissions. - Inbound calls: Disabled by default. If you enable inbound handling, carefully set the allowlist policy to avoid accepting calls from arbitrary numbers. - Review & trust: The package includes full source and an associated GitHub repo in the metadata. If you will run this in production or with sensitive calls, review the Twilio client and webhook code (src/twilio-client.ts and src/server.ts) and confirm there are no unexpected external endpoints beyond Twilio/OpenAI. Verify the published package matches the repo if provenance matters. - Operational costs & limits: The README includes per-minute cost estimates and concurrency/duration limits. Ensure you understand billing implications for outbound/inbound calls. - Safety: The plugin implements safety guardrails for prompts and instructs the voice agent to be transparent about being an AI. The scanner flagged a 'system-prompt-override' pattern, but the code explicitly sanitizes and wraps agent-provided prompts; still, you should avoid sending highly sensitive personal data into calls. If you are unsure about trusting the publisher or running audio-recording code on your machine, run the plugin in an isolated environment/VM or review the full source before enabling debug or inbound call acceptance.