Prompt injection instructions
Warn
- Finding
- Prompt-injection style instruction pattern detected.
Phone Call Agent
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This is a coherent phone-call integration, but it needs review because it lets the agent place real calls and collect call transcripts without documented approval, consent, or scope guardrails.
Install only if you trust the external GitHub/Docker project and are prepared to manage phone-call consent, costs, and transcript privacy. Before enabling SIP calling, require explicit confirmation for each call, protect API keys in `.env`, avoid sharing call links publicly, use trusted HTTPS webhooks, and stop the Docker/tunnel services when not needed.
Static analysis
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
If configured, the agent could place calls that affect third parties, incur costs, or create consent/privacy issues if used without careful confirmation.
Why it was flagged
The skill gives the agent a tool that can initiate real outbound calls. The supplied instructions do not describe mandatory user approval, recipient verification, consent handling, rate limits, or call-scope controls before using that tool.
Skill content
Once connected, Claude has access to these tools: ... `make_voice_call(to, skill_id, context)` Dial a real phone number via SIP.
Recommendation
Require explicit user confirmation immediately before each outbound call, verify the recipient and purpose, add rate/country limits, log call attempts, and document consent/legal responsibilities.
What this means
The external code may handle API keys, transcripts, webhooks, tunnels, and call initiation, but it was not available in the provided package for static review.
Why it was flagged
The runnable service is fetched from an external repository and dependency source rather than included in the reviewed artifact. This is a normal setup pattern for a self-hosted service, but users must trust and review that code before providing credentials.
Skill content
git clone https://github.com/Littlesheepxy/phone-call-agent cd phone-call-agent cp .env.example .env # Fill in .env with your API keys ... docker compose up ... cd phone-call-agent && pip install mcp>=1.0.0
Recommendation
Review the GitHub repository and Docker Compose files, pin a trusted commit and dependency versions, use least-privilege test credentials, and avoid running the service with sensitive production secrets until verified.
What this means
Anyone running the service must protect these keys because they can enable provider usage, phone-call routing, public tunneling, and potential billing exposure.
Why it was flagged
The skill asks for provider credentials and telephony/tunnel configuration that are expected for LLM, speech, SIP, and Cloudflare functionality. The registry metadata, however, declares no required environment variables or primary credential.
Skill content
LLM_API_KEY=sk-... VOLCENGINE_LLM_API_KEY=... VOLCENGINE_ASR_TOKEN=... VOLCENGINE_TTS_TOKEN=... SIP_OUTBOUND_TRUNK_ID=... CLOUDFLARE_TOKEN=your-token-here
Recommendation
Use least-privilege credentials, keep `.env` private, rotate keys after testing, monitor provider billing, and prefer separate test accounts or scoped tokens.
What this means
Call contents may include sensitive personal or business information, and link/webhook handling affects who can join calls or receive transcripts.
Why it was flagged
The skill explicitly handles call transcripts and can send transcript summaries to a configured webhook, while browser call links are designed for unauthenticated recipients with a tokenized URL.
Skill content
retrieve full transcripts + summaries when calls end ... Optional: called with transcript + summary JSON when each call ends WEBHOOK_URL=https://your-app.com/call-webhook ... Person opens link in any browser ... no account needed.
Recommendation
Use HTTPS webhooks you control, keep share links short-lived, do not post links publicly, disclose recording/transcription to participants, and define retention/deletion practices for transcripts.
What this means
A malicious or poorly written local call-skill prompt could make the voice agent say or do things the user did not intend during calls.
Why it was flagged
The static scan cited documentation indicating that local Markdown skill files become system prompts for the call agent. That is expected for a configurable call-script system, but untrusted or modified skill files could steer the call behavior.
Skill content
Skills are Markdown files in `skills/` — YAML frontmatter + LLM system prompt:
Recommendation
Only install or edit call-skill Markdown from trusted sources, review prompts before use, and keep custom call skills separated by purpose.
What this means
The phone-call backend, web UI, media server, and optional tunnel may remain active and reachable after setup.
Why it was flagged
The setup starts persistent local services and can enable inbound call answering. This is disclosed and central to the product, but users should understand that the services keep running until stopped.
Skill content
Services started: Backend API | http://localhost:8001 ... Web UI | http://localhost:3000 ... LiveKit | ws://localhost:7880 ... Inbound — agent answers incoming calls from your SIP trunk
Recommendation
Stop Docker containers and tunnels when not in use, firewall local services, and only enable inbound SIP behavior when intentionally operating the call agent.