Tour Booking
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: tour-booking Version: 0.1.0 The skill is classified as suspicious due to significant vulnerabilities related to input sanitization. The `scripts/prepare_call_payload.py` script directly uses `listing['office_phone']` from user-controlled input as the `to_number` for outbound calls, enabling potential arbitrary phone calls to untrusted destinations. Additionally, the `system_prompt` for the ElevenLabs AI agent is constructed using f-strings with user-controlled inputs (`client_name`, `address`, `preferred_windows_text`), creating a prompt injection vulnerability against the downstream AI agent. While the skill's core function of making outbound calls via ElevenLabs is legitimate, these vulnerabilities could be exploited for malicious purposes if the inputs are not properly sanitized by the calling workflow.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If run in live mode, the skill may call listing offices and request or confirm property showing slots.
The skill explicitly supports a live action that places outbound calls. This is expected for the skill, but it can contact third parties and influence showing appointments.
Live mode: ```bash python3 scripts/place_outbound_call.py \ --payload /tmp/call-payload.json \ --output /tmp/call-result.json \ --live ```
Use the documented dry-run first, inspect the prepared payload and destination phone number, and only run live mode after approval.
The skill can use the configured ElevenLabs account to submit outbound call requests when live mode is selected.
Live calling depends on ElevenLabs account credentials. This is purpose-aligned, but the registry metadata does not declare required credentials or environment variables.
api_key = os.environ.get("ELEVENLABS_API_KEY")
agent_id = os.environ.get("ELEVENLABS_AGENT_ID")Provide a scoped ElevenLabs key if possible, keep it out of logs, and verify the configured outbound endpoint before live use.
Malformed or adversarial listing data could affect what the calling agent says or asks during a live call.
Listing and client-provided fields are embedded directly into the downstream call prompt. If those fields contain instruction-like text, they could influence the voice agent's behavior.
f"slots for {listing['address']} for client {job['client_name']}. "
f"Preferred windows: {job.get('preferred_windows_text', 'not provided')}. "Validate or sanitize job fields, delimit them clearly as data, and inspect the dry-run payload before allowing live calls.