Google Voice
PassAudited by VirusTotal on May 10, 2026.
Overview
Type: OpenClaw Skill Name: google-voice Version: 0.3.0 The skill bundle provides extensive automation for Google Voice, including reading SMS history, sending messages, and making outbound calls with audio injection. While the documentation in SKILL.md emphasizes safety and user consent, the implementation uses high-risk capabilities such as Puppeteer-based browser automation, Chrome DevTools Protocol (CDP) for session manipulation, and local file access for cookie handling (google-voice-call-audio-engine.js). There is no evidence of intentional malice or data exfiltration, but the broad access to communication services and the use of UI automation to bypass standard API limitations warrant a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or overly broad agent action could call Google Voice web endpoints with the user's session, potentially changing message state, sending texts, or performing other account actions beyond the safer named tools.
The MCP server exposes a raw authenticated endpoint/body tool using the user's Google Voice session. The code does not restrict the path to a narrow allowlist or enforce approval before executing the raw call.
{ name: 'gv_raw_call', description: 'Advanced: call a HAR-derived Google Voice endpoint with a JSON/protobuf body. For debugging only.', inputSchema: { type:'object', required:['path','body'] ... } } ... if (name === 'gv_raw_call') return await gvFetch(args.path, args.body);Disable or remove `gv_raw_call` for normal use, restrict it to an allowlist of read-only endpoints, and require an explicit user confirmation gate before any mutating Google Voice call.
Installing or using the skill can let the agent access Google Voice messages and perform actions as the logged-in Google account.
The skill can authenticate using browser cookies, an authorization header, or browser/CDP session state. This is aligned with Google Voice automation but grants substantial account authority.
const MODE = process.env.GV_AUTH_MODE || (process.env.GV_COOKIE || process.env.GV_AUTHORIZATION ? 'header' : 'browser'); ... if (process.env.GV_COOKIE) headers.cookie = process.env.GV_COOKIE; if (process.env.GV_AUTHORIZATION) headers.authorization = process.env.GV_AUTHORIZATION;
Use a dedicated browser profile when possible, prefer browser/CDP mode over copying cookies into environment variables, and never share HAR files, cookies, or authorization headers.
If the local `gws` command or GWS_BIN path is untrusted, the skill could execute unintended local code while handling Google credentials.
Optional GWS OAuth mode executes a local command to export OAuth credentials. This is documented, but it means the skill's behavior depends on the local `gws` binary or a user-supplied `GWS_BIN`.
const { execFileSync } = require('child_process'); const exported = execFileSync(process.env.GWS_BIN || 'gws', ['auth', 'export'], { encoding: 'utf8', stdio: ['ignore', 'pipe', 'ignore'] });Use GWS mode only if needed, verify the `gws` binary path, and avoid setting GWS_BIN to untrusted locations.
Private phone numbers and message contents may become visible to the agent and any logs or downstream tools that receive MCP responses.
SMS thread contents are returned through the MCP tool response into the agent context. This is the intended function, but it moves private message content out of the browser session boundary.
{ name: 'gv_get_thread', description: 'Get messages for a Google Voice thread id...' } ... result:{ content:[{ type:'text', text: JSON.stringify(result, null, 2) }] }Use the read/export tools only for specific user-requested threads, avoid `raw` output unless debugging, and check whether your agent workspace logs MCP responses.
Users may need to install extra packages manually, and unsafe package sources could introduce risk.
The optional audio workflow relies on external tools, while the registry shows no install spec or required binaries. This is disclosed but leaves dependency sourcing to the user.
Dependencies: `puppeteer-core`, Chromium, `ffmpeg`, and `edge-tts` for `--text`.
Install optional dependencies only from trusted package managers or vendor sources, and use the simpler CDP call mode if audio injection is not needed.