ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Google Voice Caller

v1.2.1

Automate Google Voice calls with AI-generated voice (TTS) or local audio injection.

0· 106·0 current·0 all-time
by@joe12801
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The name/description, SKILL.md, and code align: Puppeteer-driven Chromium + ffmpeg + TTS/audio injection to drive voice.google.com is coherent with an automated caller. However, the skill ships a full google_voice_cookies.json file (session cookies) inside the repository — that is not required to describe the capability and is disproportionate and dangerous. The code also supports GV_COOKIE_PATH via env but the skill declares no env requirements.
!
Instruction Scope
Runtime instructions and engine.js explicitly read a cookie file, set cookies into the headless page, navigate to voice.google.com, click UI to place calls, inject a fake-audio file, and capture recorded audio into /tmp. Those actions are directly tied to the stated purpose, but the instructions/docs ask the user to 'place google_voice_cookies.json' while the repository already contains one — this contradicts the 'keep cookies secure' guidance and widens the attack surface. The engine captures audio in-page and writes it to /tmp, but does not show exfiltration to external servers.
Install Mechanism
No install spec is provided (instruction-only), which is lower risk. The skill expects puppeteer-core, chromium, and ffmpeg — reasonable for the functionality. There is no remote download/install URL in the package, so installation risk is limited to the usual Node/native dependencies. Note: the package includes node code but no package.json; consumers must ensure dependencies are installed correctly.
!
Credentials
The package bundles google_voice_cookies.json containing many Google session cookies (APISID, SID, HSID, etc.). Requesting or embedding full session cookies is disproportionate compared to the declared requirements (the SKILL.md says to provide your own cookies but the repo includes them). The code will use those cookies by default (or GV_COOKIE_PATH if set), granting whoever runs the skill immediate authenticated access to the associated Google account. No other env secrets are declared, but GV_COOKIE_PATH is referenced without being documented as required.
!
Persistence & Privilege
The skill is not force-enabled (always:false) and is user-invocable, which is normal. However, autonomous invocation plus included account cookies increases blast radius: an agent could autonomously place calls using the embedded account. The Chromium launch disables sandboxing (--no-sandbox) which weakens process isolation and is an additional operational risk.
Scan Findings in Context
[embedded-credentials-google-cookies] unexpected: The repository contains google_voice_cookies.json with numerous Google authentication cookies (APISID, SID, HSID, __Secure-*. etc.). Bundling session cookies is not expected or necessary for a caller plugin and effectively ships credentials. This is a high-risk practice — the skill should require the user to supply their own credentials/cookies (or use an official auth flow) and should not include live cookies in the package.
What to consider before installing
Do not install or run this skill as-is. The package contains a google_voice_cookies.json file with session cookies that grant access to a Google account; using it could let whoever controls the cookies make calls, incur charges, or access account data. Before using this skill: 1) Remove the bundled google_voice_cookies.json and never run code with unknown session cookies. 2) Prefer an official auth flow or supply your own credentials/cookies from an account you control, and verify their provenance. 3) Run the skill in an isolated environment (not as root) and ensure Chromium's sandbox is available; avoid --no-sandbox if possible. 4) Audit lib/engine.js for any outbound network calls or exfiltration and confirm recordings are stored only where you expect. 5) Consider legal/privacy implications of automated calling and recording in your jurisdiction. If you cannot verify the cookie ownership and intent of the publisher, treat this package as unsafe and avoid installing it.

Like a lobster shell, security has layers — review code before you run it.

latestvk977d76bjzj7bqr88p98nwb65h83e1ra

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments