Talk
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If these credentials are mishandled or over-shared, someone could use the user's voice or telephony accounts and create costs.
The setup asks users to configure provider credentials for paid telephony and voice services. This is expected for the skill's purpose, but those credentials can authorize account usage and charges.
Get Account SID + Auth Token from Console ... twilio:\n accountSid: "AC..."\n authToken: "..."
Use provider-recommended secret storage, avoid pasting real tokens into shared chats or files, restrict credentials where possible, and rotate keys if exposed.
A public webhook URL may let outside traffic reach a local voice service, and open inbound calling can create unwanted usage or costs.
The guide recommends public tunnel commands so voice providers can reach local webhooks. This is purpose-aligned for phone calls, but it can expose a local service if the endpoint is not secured.
Voice calls need a public URL ... ngrok http 8013 ... tailscale funnel 8013 ... cloudflared tunnel --url http://localhost:8013
Only run tunnels intentionally, protect webhook endpoints, prefer allowlists or pairing, and shut down temporary tunnels when finished.
Private notes or persistent context could be spoken or used during calls if the advanced memory feature is configured.
The advanced option describes loading persistent memory into calls through another skill. This may be useful, but it can also expose stored context to callers or voice providers if enabled.
- Memory injection (MEMORY.md loaded into calls)
Review any memory file before enabling voice-call memory features, keep sensitive information out of shared call context, and limit use to trusted callers.
Installing the additional skill may add capabilities or permissions not reviewed here.
The current skill is instruction-only, but it recommends installing a separate skill for advanced functionality. That other skill is not included in these artifacts.
Install the `phone-voice` skill for: ... ```bash\nclawhub install phone-voice\n```
Review the `phone-voice` skill's own artifacts, permissions, and setup instructions before installing it.