botcall-mcp

v0.1.1

Give your AI agent a real phone number for SMS verification. Provisions numbers, receives SMS, and extracts verification codes via the botcall API. Requires...

⭐ 0· 61·0 current·0 all-time

byDane Hesseldahl@danecodes

MIT-0

Download zip

LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.

Security Scan

VirusTotal

Benign

View report →

OpenClaw

Benign

medium confidence

✓

Purpose & Capability

The skill claims to provision phone numbers and receive SMS via the Botcall API and the SKILL.md requires a BOTCALL_API_KEY and refers to botcall.io/npm/github resources—these are appropriate and expected for this functionality.

ℹ

Instruction Scope

Instructions are focused on adding an MCP server (via npx botcall-mcp) and setting BOTCALL_API_KEY (env or in Claude Desktop config). This is within scope, but the guide explicitly asks you to place your API key into ~/Library/Application Support/Claude/claude_desktop_config.json which stores a long-lived secret in plaintext; that persistence and the recommendation to run remote code deserve caution.

Install Mechanism

No registry install spec exists in metadata, but the SKILL.md directs use of `npx -y botcall-mcp`. npx will fetch and execute code from the npm registry at runtime (arbitrary remote code execution risk). The skill points to an npm package and GitHub repo, which helps with verification, but executing via npx without first auditing the package is a moderate risk.

ℹ

Credentials

Only BOTCALL_API_KEY (required) and optional BOTCALL_API_URL are requested—this is proportionate to the stated purpose. However, that API key grants access to provision numbers and read SMS (sensitive capabilities), so consider the security of how/where you store it (avoid shared or world-readable configs).

ℹ

Persistence & Privilege

always:false and normal autonomous invocation are fine. The setup instructs adding an MCP server entry to the agent's desktop config (persisting the API key and an automatic command run), which is expected for an MCP but increases persistence and blast radius if the key is compromised—this is not inherently malicious but should be done consciously.

Assessment

This skill appears to do what it says, but take these precautions before installing: 1) Review the npm package and GitHub repo (botcall-mcp) yourself—inspect the code before running it with npx. 2) Prefer installing locally (clone + audit) rather than blindly running `npx` to avoid executing unreviewed remote code. 3) Store BOTCALL_API_KEY securely (avoid putting it in shared plaintext config). 4) Use an account/key with minimal privileges and monitor usage (Botcall access lets the service provision numbers and read SMS). 5) Understand costs and terms on botcall.io and consider using ephemeral/test keys where available. If you cannot review the package or are uncomfortable storing the key in your agent config, treat this skill as higher risk and do not install.

Like a lobster shell, security has layers — review code before you run it.

latestvk974gy19pf1y6vmk1wpgmb2rvd848s6v

License

MIT-0

Free to use, modify, and redistribute. No attribution required.

Termshttps://spdx.org/licenses/MIT-0.html

botcall-mcp

License

Comments