Voice Call Local
AdvisoryAudited by Static analysis on May 12, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could place an unintended outbound call, contact the wrong person, or incur telephony charges if invoked without careful user control.
This exposes a call-starting action to the agent with recipient and message parameters, but the skill does not document confirmation, allowed recipients, rate limits, or cost controls.
Use `voice_call` for agent-initiated calls. Actions: - `initiate_call` (message, to?, mode?)
Require explicit user confirmation of the recipient, message, and provider before every real call; consider allowlists, rate limits, and using the mock provider for testing.
If the provider credentials are misused, calls may be made under the user's telephony account and may generate charges.
The skill requires telephony provider credentials for real calls. This is expected for the stated purpose, but those credentials grant account authority.
Twilio config: `provider: "twilio"` + `twilio.accountSid/authToken` + `fromNumber`. - Telnyx config: `provider: "telnyx"` + `telnyx.apiKey/connectionId` + `fromNumber`. - Plivo config: `provider: "plivo"` + `plivo.authId/authToken` + `fromNumber`.
Use dedicated, least-privilege provider credentials where possible, store them securely, monitor usage, and revoke them when no longer needed.
Phone numbers and call message content may be processed by the selected telephony provider.
For non-mock providers, call recipient numbers and spoken message content will likely be sent through the configured telephony provider. This is purpose-aligned but privacy-relevant.
Use the voice-call plugin to start or inspect calls (Twilio, Telnyx, Plivo, or mock).
Avoid sending sensitive information in call messages unless the provider and configuration are trusted and appropriate for that data.
The package identity may be confusing, making it harder to confirm that the registry entry and packaged artifact refer to the same release.
These embedded metadata values differ from the supplied registry metadata for owner, slug, and version. There is no runnable code here, so this is a provenance note rather than evidence of unsafe behavior.
"ownerId": "kn7feta5p1mg5pkezkfsk1ep31812ev2", "slug": "voice-call", "version": "0.1.0"
Verify the publisher and intended skill identity before enabling the plugin or adding real provider credentials.