Phone Voice Integration
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill describes a phone-accessible assistant that would expose private memory and action capabilities through external services, but the implementation and safeguards are not clearly bounded or reviewable.
Review carefully before installing. Only use this if you are comfortable exposing a voice bridge to the internet and sending selected memory/call context through Twilio, ElevenLabs, and Anthropic. Start with read-only actions, disable full memory injection for unknown callers, require PIN or out-of-band approval for sensitive actions, and do not deploy until the bridge code and its authentication/rate-limit behavior have been reviewed.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A phone caller could potentially interact with an assistant that has access to private profile, memory, and prior call information, and caller-supplied content may persist into future conversations.
The skill proposes automatically sending private user memory and prior call content into the model for every call, but does not clearly limit this by caller identity, redact sensitive data, or prevent caller-provided transcript content from influencing later calls.
The bridge auto-loads context before each call: ... `MEMORY.md` ... `USER.md` ... Recent call transcripts (cross-call memory) ... All injected into the system prompt before Claude sees the conversation.
Disable full memory injection by default, separate unknown-caller mode from trusted-caller context, redact sensitive fields, require user approval before using stored memory, and define retention/deletion controls for transcripts.
If caller authentication fails, is spoofed, or is misconfigured, someone could use the phone interface to trigger actions in the user's accounts.
The phone-accessible agent is described as able to perform user-account actions, but the artifact does not clearly require confirmation, per-caller permissions, or safe limits before mutating calendars/messages/reminders.
Ask it to check your calendar, send a message, set a reminder, etc.
Limit phone-call actions to read-only by default, require explicit confirmation for mutations, use per-caller allowlists and permissions, and require a PIN or out-of-band approval for calendar, messaging, and other account-changing actions.
Users cannot verify from this artifact whether caller screening, PIN checks, rate limits, token validation, transcript handling, or memory injection are implemented safely.
The skill depends on security-critical bridge files that would handle public requests, secrets, memory loading, and authentication, but the submitted package contains only SKILL.md and no reviewed code files.
Key files: `server.py` — FastAPI app ... `fred_prompt.py` — System prompt builder ... `.env` — Secrets ... `contacts.json` — Caller whitelist
Provide the bridge implementation for review, document exact file locations and permissions, pin dependencies, and include tests or clear instructions showing how authentication, rate limiting, and memory access are enforced.
Misconfigured or leaked credentials could allow unauthorized use of the user's phone number, ElevenLabs account, Anthropic account, or bridge endpoint.
Provider credentials are expected for this integration, but they grant access to paid accounts and phone/LLM services and are not declared in the registry metadata.
Prerequisites ... ElevenLabs account + API key ... Twilio account + phone number ... Anthropic API key ... `.env` — Secrets (API keys, tokens, whitelist)
Use least-privilege keys where available, keep secrets out of logs and prompts, rotate credentials after testing, and declare required credentials in the skill metadata.
Call content, memory-derived context, and action requests may pass through Twilio, ElevenLabs, the bridge, and Anthropic.
The architecture intentionally routes caller audio/conversation through multiple external services and a public bridge endpoint; this is purpose-aligned but creates important data-boundary and authentication considerations.
Phone → Twilio → ElevenLabs Agent → Your Bridge → Anthropic Claude → OpenClaw Tools
Document what data each service receives, validate request origin and bearer tokens at the bridge, use HTTPS-only endpoints, and avoid sending private memory to services unless necessary.