Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Phone Call Agent
v1.0.1AI voice call agent — make outbound calls, generate browser call links, accept inbound calls, and retrieve full transcripts + summaries when calls end. Suppo...
⭐ 0· 250·0 current·0 all-time
byLittle 羊@littlesheepxy
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill's stated purpose (outbound/inbound voice calls, transcripts) reasonably explains the need for LLM, STT/TTS, LiveKit and SIP credentials. However, the registry metadata lists no required environment variables, binaries, or config paths while the SKILL.md clearly requires many API keys, a SIP trunk ID, Docker/Python/docker-compose usage, and editing a local Claude config file. That mismatch (declared 'none' vs. many required items in the doc) is incoherent and should be explained by the publisher.
Instruction Scope
The instructions tell the user to git-clone a repository, run docker compose, pip install mcp, and — importantly — edit the user's Claude desktop configuration file (~/Library/Application Support/Claude/claude_desktop_config.json) to add an MCP server entry. Modifying an agent/client config is outside a simple 'call helper' and grants this skill a privileged integration point; the SKILL.md also contains frontmatter fields (argument-hint/metadata) that triggered a 'system-prompt-override' injection pattern. All of this is within the doc but increases risk and requires careful code review before enabling.
Install Mechanism
There is no formal install spec in the registry entry; the SKILL.md instructs pulling code from GitHub and using Docker Compose and pip. Using a GitHub repo is normal and acceptable, but the registry metadata omits declaring required binaries (git, docker, docker-compose, python, pip). The repo URL is a GitHub host (lower risk than arbitrary IPs), but because the skill asks you to run code and install services, inspect the repository before running.
Credentials
The .env in SKILL.md requests numerous credentials: LLM API key(s), LIVEKIT keys, VOLCENGINE tokens, SIP_OUTBOUND_TRUNK_ID, and CLOUDFLARE_TOKEN for a public tunnel. These are plausible for a call agent, but the registry declared no required env vars — an inconsistency. In particular, a Cloudflare token and any LLM keys are high-value secrets; the SKILL.md does not document minimal scopes or guidance for limited permissions.
Persistence & Privilege
The skill instructs editing the user's Claude desktop config to register an MCP server entry. That changes another application's configuration to enable this skill's process to be launched by Claude — effectively granting the skill a persistent integration point. The skill does not set 'always: true', but modifying another app's config is a privileged operation and should only be done after code review and verifying the publisher.
Scan Findings in Context
[system-prompt-override] unexpected: The SKILL.md frontmatter contains fields (argument-hint, metadata, compatibility) and content patterns that the scanner flagged as potential system-prompt override or injection. While frontmatter can be benign, prompt-injection capability in skill instructions increases risk because it may try to influence the agent's system role or behavior beyond intended operational scope.
What to consider before installing
This skill is plausible for making browser-based and SIP calls, but exercise caution before installing: 1) The registry metadata claims no required env/config, yet the SKILL.md asks you to supply LLM API keys, LiveKit/VOLCENGINE tokens, a SIP trunk ID and a Cloudflare token — verify why these are needed and limit token scopes where possible. 2) The SKILL.md instructs you to modify your Claude client config (~/Library/Application Support/Claude/claude_desktop_config.json) to add an MCP server entry. That registers code you pull from GitHub to be launched by your agent — only do this if you fully trust and have reviewed the repository (particularly backend.mcp_server). 3) Clone and inspect the GitHub repo locally (review Docker compose, backend code, mcp server implementation, and any scripts) before running docker-compose or pip install. 4) Prefer running in an isolated VM/container and avoid exposing high-privilege tokens (Cloudflare token should be scoped/minimized). 5) If you are unsure, ask the publisher for explicit required env variables and the least-privilege guidance, or request a signed/reproducible release. Because the registry metadata and the runtime instructions disagree and a prompt-injection pattern was detected, treat this skill as 'suspicious' until you can audit the upstream code and verify trustworthiness.SKILL.md:223
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.Like a lobster shell, security has layers — review code before you run it.
latestvk979sdnme7ry67fpfzaka0vm2x82nnydlivekitvk9768xmtx7kvat3x1c5r609zed82n32rmcpvk9768xmtx7kvat3x1c5r609zed82n32rphonevk9768xmtx7kvat3x1c5r609zed82n32rvoicevk9768xmtx7kvat3x1c5r609zed82n32r
License
MIT-0
Free to use, modify, and redistribute. No attribution required.