Agentic Calling
WarnAudited by ClawScan on May 10, 2026.
Overview
This is a real Twilio calling/SMS skill, but it gives an agent high-impact phone and recording authority without clear guardrails and includes unsafe message handling that could run local code if given crafted text.
Install only if you intentionally want an agent to place real phone calls or send SMS through your Twilio account. Before use, fix the unsafe message encoding, use a dedicated/restricted Twilio account, require human approval for recipients and message content, set spending/rate limits, and handle call recording consent carefully.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the agent passes untrusted text into the call message, that text could potentially execute commands on the user's machine.
The user/agent-controlled message and voice are inserted into XML and then into Python source code inside a shell command. A crafted value containing Python string delimiters could break out of the quoted string and execute local Python code, which is beyond the skill's stated purpose of placing calls.
TWIML="<?xml version=\"1.0\" encoding=\"UTF-8\"?><Response><Say voice=\"$VOICE\">$MESSAGE</Say>" ... TWIML_ENCODED=$(python3 -c "import urllib.parse; print(urllib.parse.quote('''$TWIML'''))")Do not pass untrusted text to --message until this is fixed. The script should URL-encode data via stdin, environment variables, or a safe argument API rather than constructing Python code from user-controlled strings.
An agent could call or text many people, mark messages urgent, record calls, or incur Twilio charges if invoked with broad recipient lists or poor instructions.
The documentation explicitly supports autonomous calling and parallel broadcast calls, but the artifacts do not describe confirmation requirements, recipient allowlists, rate limits, opt-out handling, or recording-consent controls.
**Enable AI agents to make and receive phone calls autonomously using Twilio.** ... cat on-call-list.txt | while read phone; do ./scripts/make-call.sh ... --urgent true & done
Use this only with explicit per-campaign approval, recipient allowlists, spending/rate limits, and clear policies for call recording and consent.
Anyone or any agent run with access to this credential can use the associated Twilio account for calls, SMS, and call-data retrieval supported by the scripts.
The script reads a Twilio Auth Token from a local config file or environment variable and uses it for authenticated Twilio API calls. This is expected for a Twilio integration, but it is high-privilege and the registry metadata declares no primary credential or required environment variables.
CONFIG_FILE="${HOME}/.clawdbot/twilio-config.json" ... TWILIO_AUTH_TOKEN=$(jq -r '.authToken // empty' "$CONFIG_FILE") ... -u "${TWILIO_ACCOUNT_SID}:${TWILIO_AUTH_TOKEN}"Use a dedicated Twilio subaccount or least-privilege credential where possible, restrict file permissions on the config file, and rotate the token if it may have been exposed.
Some advertised workflows may fail, or a user might be tempted to download unreviewed scripts to fill the gap.
The documentation references helper scripts for webhooks, inbound calls, IVR, conferencing, and ElevenLabs that are not included in the provided file manifest. That creates an incomplete-provenance gap if users or agents search for replacements.
./scripts/setup-webhook.sh --url "https://your-server.com/voice" ... ./scripts/receive-call.sh --port 3000 ... ./scripts/make-call-elevenlabs.sh --to "+15551234567"
Use only the included reviewed scripts unless the missing helpers are supplied from a trusted, reviewed source.