ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

OpenPhone

v1.0.0

Manage business phone calls, SMS, and contacts via OpenPhone API. Use when asked to send a text message, list calls or messages, look up conversation history...

0· 62·1 current·1 all-time
by@dwhite-oss
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The SKILL.md describes exactly the OpenPhone REST API endpoints you would expect for sending SMS, listing calls/messages, and managing contacts—functionality is consistent with the skill name and description. However, the SKILL.md explicitly requires OPENPHONE_API_KEY while the registry metadata lists no required env vars or primary credential, creating a mismatch.
!
Instruction Scope
Instructions are narrowly scoped to curl requests against https://api.openphone.com/v1 and do not reference unrelated files or endpoints. However, they directly reference the environment variable $OPENPHONE_API_KEY in every example; that env var is not declared in the skill metadata, so the runtime behavior (and what secrets the agent will access) is unclear.
Install Mechanism
Instruction-only skill with no install spec and no code files. This is low-risk from an installation/execution perspective because nothing is downloaded or written to disk by an installer.
!
Credentials
Only one secret (an OpenPhone API key) appears necessary and is proportional to the described capabilities. The problem is that the metadata does not declare that secret; the SKILL.md does. That omission prevents proper vetting (e.g., prompting the user for a limited-scope API key) and may cause accidental exposure of a broader key.
Persistence & Privilege
always:false and no install scripts or config writes are present. The skill does not request persistent system privileges or modify other skills' configuration.
What to consider before installing
Do not install or provide credentials until the metadata and the runtime instructions agree. Specifically: (1) Confirm with the publisher/source that OPENPHONE_API_KEY is required and that the registry metadata will be updated to declare it. (2) If you provide a key, use a least-privilege OpenPhone API key or a workspace-limited token, not a full account master key. (3) Verify the agent will only call api.openphone.com and will not send the key to other endpoints. (4) Consider creating and testing with a dedicated test number/key and rotate the key if it is exposed. (5) Prefer skills from a verifiable/known publisher or ask for source code before granting credentials. Minor note: examples set Authorization: $OPENPHONE_API_KEY (without a Bearer prefix); confirm the correct header format when configuring keys.

Like a lobster shell, security has layers — review code before you run it.

business-phonevk97dq47mcs21xswzs3yzxvzt5x83qyyscallsvk97dq47mcs21xswzs3yzxvzt5x83qyyslatestvk97dq47mcs21xswzs3yzxvzt5x83qyysopenphonevk97dq47mcs21xswzs3yzxvzt5x83qyysphonevk97dq47mcs21xswzs3yzxvzt5x83qyyssmsvk97dq47mcs21xswzs3yzxvzt5x83qyys

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments