Voice Call Local
ReviewAudited by ClawScan on May 12, 2026.
Overview
This instruction-only skill is transparent about starting voice calls, but it should be reviewed because it lets an agent initiate outbound calls with provider credentials without documented approval or recipient limits.
Install only if you intend to let OpenClaw use the voice-call plugin. Before using real provider credentials, make sure the agent must confirm every call recipient and message, consider testing with the mock provider, and verify the package identity despite the metadata mismatch.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could place an unintended outbound call, contact the wrong person, or incur telephony charges if invoked without careful user control.
This exposes a call-starting action to the agent with recipient and message parameters, but the skill does not document confirmation, allowed recipients, rate limits, or cost controls.
Use `voice_call` for agent-initiated calls. Actions: - `initiate_call` (message, to?, mode?)
Require explicit user confirmation of the recipient, message, and provider before every real call; consider allowlists, rate limits, and using the mock provider for testing.
If the provider credentials are misused, calls may be made under the user's telephony account and may generate charges.
The skill requires telephony provider credentials for real calls. This is expected for the stated purpose, but those credentials grant account authority.
Twilio config: `provider: "twilio"` + `twilio.accountSid/authToken` + `fromNumber`. - Telnyx config: `provider: "telnyx"` + `telnyx.apiKey/connectionId` + `fromNumber`. - Plivo config: `provider: "plivo"` + `plivo.authId/authToken` + `fromNumber`.
Use dedicated, least-privilege provider credentials where possible, store them securely, monitor usage, and revoke them when no longer needed.
Phone numbers and call message content may be processed by the selected telephony provider.
For non-mock providers, call recipient numbers and spoken message content will likely be sent through the configured telephony provider. This is purpose-aligned but privacy-relevant.
Use the voice-call plugin to start or inspect calls (Twilio, Telnyx, Plivo, or mock).
Avoid sending sensitive information in call messages unless the provider and configuration are trusted and appropriate for that data.
The package identity may be confusing, making it harder to confirm that the registry entry and packaged artifact refer to the same release.
These embedded metadata values differ from the supplied registry metadata for owner, slug, and version. There is no runnable code here, so this is a provenance note rather than evidence of unsafe behavior.
"ownerId": "kn7feta5p1mg5pkezkfsk1ep31812ev2", "slug": "voice-call", "version": "0.1.0"
Verify the publisher and intended skill identity before enabling the plugin or adding real provider credentials.