Agentic Calling
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill largely does what it claims, but it gives an autonomous agent broad real-world calling/SMS/recording power and contains an unsafe script pattern that could be abused through malicious call text.
Install only if you intentionally want an agent to use your Twilio account for real calls or SMS. Before enabling it, add human approval, recipient allowlists, spend/rate limits, consent rules for recording, and avoid passing untrusted message text until the script's Python/TwiML construction is fixed.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent with access to this skill and Twilio credentials could place real phone calls or send messages to arbitrary numbers, potentially causing costs, unwanted contact, or compliance issues.
Running the script directly posts to Twilio's Calls API using supplied recipient and message values. The artifacts do not show confirmation prompts, recipient allowlists, rate limits, or spend controls for autonomous agent use.
FORM_DATA="To=${TO_NUMBER}&From=${TWILIO_PHONE_NUMBER}&Twiml=${TWIML_ENCODED}&Timeout=${TIMEOUT}" ... RESPONSE=$(curl -s -X POST "$API_URL" \
-u "${TWILIO_ACCOUNT_SID}:${TWILIO_AUTH_TOKEN}" \
-d "$FORM_DATA")Use only with explicit user approval, recipient allowlists, rate limits, logging, and Twilio spend controls; avoid enabling autonomous calling for open-ended tasks.
Malicious or untrusted message text passed into the call tool could potentially execute local code in the user's environment or alter the generated Twilio instructions.
Command-line inputs such as the call message are interpolated into a Python -c program via a triple-quoted string. A crafted message containing triple quotes could break out of the string and execute Python code; the TwiML is also not XML-escaped.
TWIML="<?xml version=\"1.0\" encoding=\"UTF-8\"?><Response><Say voice=\"$VOICE\">$MESSAGE</Say>" ... TWIML_ENCODED=$(python3 -c "import urllib.parse; print(urllib.parse.quote('''$TWIML'''))")Do not pass untrusted text to this script as-is. Maintainers should URL-encode via stdin or a safe argument channel, XML-escape message content, and validate voice/message fields before generating TwiML.
Anyone or any agent process with access to the token can use the linked Twilio account for calls/messages and related call data within the script capabilities.
The skill needs Twilio account credentials to perform its stated function. This is expected, but the token authorizes billing-impacting communications and call-data access, while the registry metadata declares no primary credential.
Create `~/.clawdbot/twilio-config.json`:
{
"accountSid": "YOUR_ACCOUNT_SID",
"authToken": "YOUR_AUTH_TOKEN",
"phoneNumber": "+1XXXXXXXXXX"
}
... export TWILIO_AUTH_TOKEN="your_auth_token"Use a dedicated Twilio account or restricted credential where possible, protect the config file permissions, rotate tokens if exposed, and set Twilio spending/usage limits.
If the callback URL is wrong or untrusted, call metadata or recording/transcription events could be exposed outside the intended system.
The script can configure Twilio status, recording, and transcription callbacks to a user-supplied URL. This is purpose-aligned, but call metadata and recording-related events may be sent to that endpoint.
FORM_DATA="${FORM_DATA}&RecordingStatusCallback=${CALLBACK_URL}/recording&Transcribe=true" ... FORM_DATA="${FORM_DATA}&StatusCallback=${CALLBACK_URL}"Use only trusted HTTPS callback endpoints, validate callback URLs, and avoid recording/transcription unless callers have consented and the data destination is controlled.
Users may assume additional scripts are part of the reviewed skill or may go looking for unreviewed replacements.
SKILL.md documents helper scripts for webhooks, receiving calls, IVR, conferences, and ElevenLabs that are not included in the provided file manifest, so those documented workflows cannot be reviewed from the supplied package.
./scripts/setup-webhook.sh --url "https://your-server.com/voice" ... ./scripts/receive-call.sh --port 3000 ... ./scripts/make-call-elevenlabs.sh --to "+15551234567" --message "Hello" --voice-id "YOUR_VOICE_ID"
Use only the scripts included in the reviewed package unless separately auditing any missing helper scripts from a trusted source.