ClawHub
Back to skill
v1.1.1

ElevenLabs Phone Reminder (Lite)

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:17 AM.

Analysis

This is a transparent instruction-only guide, but following it means using service credentials to create AI phone-calling resources that can contact people and incur charges.

GuidanceThis skill appears benign as a starter guide. Before using it, make sure you are comfortable giving ElevenLabs/Twilio the required credentials, calling only consented recipients, paying any provider charges, and deleting or disabling the created phone-call resources when you are done.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityMediumConfidenceHighStatusNote
SKILL.md
curl -X POST "https://api.elevenlabs.io/v1/convai/twilio/outbound-call" ... "to_number": "+1RECIPIENT_NUMBER"

The artifact provides a raw API command that initiates an outbound phone call. It is user-directed and aligned with the skill purpose, but it can affect recipients and generate costs.

User impactA mistaken or unauthorized call could reach the wrong person, disturb recipients, or create phone charges.
RecommendationOnly call numbers you are authorized to contact, confirm the recipient number before running the command, and monitor Twilio/ElevenLabs usage and billing.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityMediumConfidenceHighStatusNote
SKILL.md
Need: Account SID, Auth Token, Phone Number ... "token": "'$TWILIO_AUTH_TOKEN'"

The guide requires Twilio account credentials and sends the Twilio auth token to ElevenLabs to connect the phone number. This is expected for the integration, but it grants meaningful account and billing authority.

User impactAnyone following the guide will be using credentials that can enable calls and charges on their Twilio/ElevenLabs accounts.
RecommendationUse only official provider consoles, consider restricted credentials or a Twilio subaccount if available, and rotate/revoke tokens if they are pasted into unsafe places.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
Your App → ElevenLabs → Twilio → Phone Network ... Real-time voice interaction (not pre-recorded!)

The guide describes routing live voice calls through ElevenLabs, Twilio, and the phone network. This disclosed provider flow may involve recipient phone numbers and conversation audio.

User impactPhone numbers and call content may be processed by external providers according to their own privacy, retention, and compliance terms.
RecommendationReview ElevenLabs and Twilio privacy/retention settings, avoid sensitive reminder content unless appropriate, and ensure recipients consent to AI voice calls.