Google Voice
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
Review recommended: this skill is transparent about using Google Voice, but it grants broad authenticated access that can read messages, send texts, place calls, and run raw Google Voice API calls.
Install only if you are comfortable giving the agent access to your Google Voice web session. Prefer browser/CDP mode with a dedicated browser profile, avoid copying cookies or auth headers into environment variables, do not use raw_call unless debugging a specific endpoint, and require manual confirmation before sending texts or placing calls.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad agent action could call Google Voice web endpoints with the user's session, potentially changing message state, sending texts, or performing other account actions beyond the safer named tools.
The MCP server exposes a raw authenticated endpoint/body tool using the user's Google Voice session. The code does not restrict the path to a narrow allowlist or enforce approval before executing the raw call.
{ name: 'gv_raw_call', description: 'Advanced: call a HAR-derived Google Voice endpoint with a JSON/protobuf body. For debugging only.', inputSchema: { type:'object', required:['path','body'] ... } } ... if (name === 'gv_raw_call') return await gvFetch(args.path, args.body);Disable or remove `gv_raw_call` for normal use, restrict it to an allowlist of read-only endpoints, and require an explicit user confirmation gate before any mutating Google Voice call.
Installing or using the skill can let the agent access Google Voice messages and perform actions as the logged-in Google account.
The skill can authenticate using browser cookies, an authorization header, or browser/CDP session state. This is aligned with Google Voice automation but grants substantial account authority.
const MODE = process.env.GV_AUTH_MODE || (process.env.GV_COOKIE || process.env.GV_AUTHORIZATION ? 'header' : 'browser'); ... if (process.env.GV_COOKIE) headers.cookie = process.env.GV_COOKIE; if (process.env.GV_AUTHORIZATION) headers.authorization = process.env.GV_AUTHORIZATION;
Use a dedicated browser profile when possible, prefer browser/CDP mode over copying cookies into environment variables, and never share HAR files, cookies, or authorization headers.
If the local `gws` command or GWS_BIN path is untrusted, the skill could execute unintended local code while handling Google credentials.
Optional GWS OAuth mode executes a local command to export OAuth credentials. This is documented, but it means the skill's behavior depends on the local `gws` binary or a user-supplied `GWS_BIN`.
const { execFileSync } = require('child_process'); const exported = execFileSync(process.env.GWS_BIN || 'gws', ['auth', 'export'], { encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'] });Use GWS mode only if needed, verify the `gws` binary path, and avoid setting GWS_BIN to untrusted locations.
Private phone numbers and message contents may become visible to the agent and any logs or downstream tools that receive MCP responses.
SMS thread contents are returned through the MCP tool response into the agent context. This is the intended function, but it moves private message content out of the browser session boundary.
{ name: 'gv_get_thread', description: 'Get messages for a Google Voice thread id...' } ... result:{ content:[{ type:'text', text: JSON.stringify(result, null, 2) }] }Use the read/export tools only for specific user-requested threads, avoid `raw` output unless debugging, and check whether your agent workspace logs MCP responses.
Users may need to install extra packages manually, and unsafe package sources could introduce risk.
The optional audio workflow relies on external tools, while the registry shows no install spec or required binaries. This is disclosed but leaves dependency sourcing to the user.
Dependencies: `puppeteer-core`, Chromium, `ffmpeg`, and `edge-tts` for `--text`.
Install optional dependencies only from trusted package managers or vendor sources, and use the simpler CDP call mode if audio injection is not needed.