Telecom Agent Skill
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for telecom operations, but it gives an agent broad bulk-calling, recording, account-linking, and remote-install authority without clear enough scope or safeguards.
Review this carefully before installing. Use only a dedicated, limited Twilio account with spending and destination limits, verify the external GitHub code, require explicit human approval for calls and campaigns, and confirm recording consent, retention, and transcript access policies.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Installing unreviewed remote code could give unknown software access to telecom workflows and connected accounts.
The provided package is instruction-only with no reviewed code or install spec, yet it directs installation from an external GitHub repository for a high-impact telecom tool.
/install https://github.com/kflohr/telecom-agent-skill
Only install from a reviewed, pinned release with an explicit install spec, provenance, and permissions; inspect the repository before linking any telecom account.
A mistaken prompt, bad CSV, or unauthorized use could place large numbers of calls, create cost exposure, and affect third parties.
The skill grants broad public telephone network action, including large-scale campaigns and global dialing, without clearly documented campaign caps, allow-lists, legal/compliance checks, or required human confirmation.
Mass Dialing: Upload a list of 10,000+ numbers... Make Calls: Dial any global number.
Require explicit human approval for every campaign and call list, use spending and rate limits, restrict destination countries/numbers, provide dry-run previews, and document cancellation/rollback controls.
A connected Twilio account could be billed or misused for large-scale calling if permissions are too broad.
The skill asks users to link a Twilio account while also advertising global dialing and bulk campaigns, but the artifact does not define least-privilege scopes, subaccount isolation, spending limits, or credential handling.
telecom onboard # Follow the wizard to link your Twilio account.
Use a dedicated Twilio subaccount, narrow API permissions, spending caps, destination restrictions, audit logs, and easy revocation before enabling the skill.
Private call contents could be stored, retrieved, or exposed beyond the immediate call task.
The skill collects and persists sensitive call audio/transcripts and makes them agent-readable, but does not specify retention, consent, redaction, access controls, or when this memory may be reused.
Records audio automatically for quality assurance... Agent can read full call transcripts... All logs saved to the secure Operator Console.
Confirm recording consent requirements, retention limits, transcript redaction, access controls, deletion/export features, and whether agents can reuse transcripts across tasks.
A compromised or misconfigured Telegram bot/account could expose telecom status or approve high-risk actions.
The skill routes monitoring and approvals through Telegram, but the artifact does not describe admin identity verification, bot access controls, or how approval messages are protected from spoofing or misrouting.
Remote Admin: Monitor system status from a Telegram Bot. Approvals: Approve/Deny high-risk actions via mobile buttons.
Restrict approvals to allow-listed admins, require strong authentication, include full action context in approval prompts, and keep auditable approval logs.