Voice Ai Integration
ReviewAudited by ClawScan on May 1, 2026.
Overview
The skill is coherent for Shengwang voice/RTC integrations, but it uses network doc/repo fetches and may guide credentialed voice-agent, recording, history, and MCP-tool APIs that users should review.
Use this skill if you expect Shengwang/Agora-style voice, RTC, recording, or token integration help. Before installing, be comfortable with doc/repo network fetches, keep all service keys in environment variables or a secret manager, review generated REST calls for recording/agent lifecycle/history, and tightly scope any MCP tools.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Users have less external context for verifying the bundled helper scripts and publisher identity.
The registry does not provide an upstream source or homepage for a skill that includes helper scripts, limiting independent provenance review.
Source: unknown; Homepage: none; Code file presence: 2 code file(s): scripts/fetch-doc-content.sh, scripts/fetch-docs.sh
Install only if you trust the registry/publisher, and review the included helper scripts before allowing shell commands in stricter environments.
The assistant may run a bash/curl helper to download Shengwang documentation before answering integration questions.
The skill instructs the agent to run a bundled shell helper and fetch a documentation index before normal use. This is disclosed and purpose-aligned, but it is still local command execution plus network access.
Execute this BEFORE any routing or code generation... bash skills/voice-ai-integration/scripts/fetch-docs.sh
Allow the doc fetch only if expected; in controlled environments, inspect the script and restrict network access to the named documentation domains.
Using the generated guidance or API calls could record participant audio/video and incur service or storage costs.
The skill documents APIs that can start cloud recording of live RTC sessions and affect billing. This is expected for a Cloud Recording integration but is high-impact if used without review.
Records active RTC sessions to cloud storage... acquire → start → stop... stop ends recording (always call to avoid billing)
Review any start/stop recording calls, confirm participant consent and storage destination, and ensure recordings are stopped when no longer needed.
Exposed or overbroad keys could allow unwanted use of Shengwang services or generate costs.
The skill requires or references service credentials for Shengwang APIs. This is purpose-aligned, and the artifacts also advise against hardcoding secrets, but these credentials can control account resources.
HTTP Basic Auth: `SHENGWANG_CUSTOMER_KEY` + `SHENGWANG_CUSTOMER_SECRET`
Use environment variables or a secret manager, prefer test projects/least-privilege credentials, and never paste long-lived secrets into generated files.
Conversation transcripts may be read into the workflow when history features are used.
The ConvoAI history API can retrieve short-term memory containing user and agent conversation messages, which may include sensitive content.
获取用户和智能体对话的短期记忆... 包括... 用户和智能体对话消息
Avoid sending secrets or regulated data in conversations, and review when history retrieval is enabled or queried.
A configured voice agent could call external tools during conversations, potentially exposing data or performing actions through those tools.
The ConvoAI configuration can connect the voice agent to external MCP servers with headers and tool allowlists; if `allowed_tools` is omitted, all tools become active.
`properties.llm.mcp_servers`... `endpoint`... `headers`... `allowed_tools`; 不填写 `allowed_tools` 字段:所有工具都生效
Use trusted MCP endpoints, avoid wildcard or omitted tool allowlists, scope headers/tokens tightly, and test with non-production tools first.