AgentCall
ReviewAudited by ClawScan on May 13, 2026.
Overview
AgentCall is a coherent phone/SMS/voice API skill with real-money and real-world calling powers that are disclosed and guarded by confirmation instructions.
Install only if you trust AgentCall with your phone/SMS/call data and API key. Before using it, confirm budgets, recipients, recording consent, webhook destinations, and disable any inbound AI receptionist when it is no longer needed.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If authorized incorrectly, the agent could create charges or contact real people by SMS or phone.
The skill can spend money, provision numbers, send messages, and place calls, but the instructions explicitly disclose these effects and require confirmation.
Several tools below take real-world actions on the user's behalf. Confirm with the user before invoking them... Billable actions... POST /v1/numbers/provision... POST /v1/sms/send... POST /v1/calls/initiate... POST /v1/calls/ai
Confirm the recipient, message, destination number, duration, recording choice, and budget before allowing any billable or outreach action.
Anyone with the API key could potentially use the user's AgentCall account and incur usage within the account's limits.
The skill requires an AgentCall account credential that can authorize actions against the user's AgentCall account.
"credentials": { "AGENTCALL_API_KEY": { "description": "AgentCall API key (starts with ac_live_). Get one free at https://agentcall.co", "required": true } }Store the API key only in trusted environments, rotate it if exposed, and use the least-privileged or test key option if AgentCall provides one.
Once enabled, the AI receptionist can answer future incoming calls and may generate usage charges until disabled or capped by plan limits.
Inbound AI is a persistent configuration that continues handling future calls, but the skill documents monitoring and disable procedures.
Configure a phone number so incoming calls are answered autonomously by an AI voice agent... Monitor usage... Disable as soon as the configuration is no longer needed
Enable inbound AI only for a specific number and purpose, set the shortest practical max duration, monitor usage, and disable it when the need ends.
Misconfigured webhook endpoints could expose SMS content, OTPs, recordings, or call transcripts to the wrong place.
The skill can route sensitive telephony events, OTPs, recordings, and transcripts to user-configured webhooks.
"This skill can register webhook endpoints to receive real-time events (inbound SMS, OTP codes, call status, recordings, AI call transcripts)... Webhooks require an HTTPS URL you control."
Use only HTTPS endpoints you control, verify HMAC signatures, protect webhook secrets, and avoid forwarding OTPs or transcripts to untrusted systems.