Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
gycall
v1.0.4Advanced AI voice assistant for phone calls. Capable of persuasion, sales, restaurant bookings, reminders, and notifications.
⭐ 0· 254·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
Name/description (AI phone call assistant) align with requested env vars (VAPI_API_KEY, ASSISTANT_ID, PHONE_NUMBER_ID, WEBHOOK_BASE_URL), required binary (python3), and the included Python script which posts to api.vapi.ai to create calls. The resources requested are proportional to the stated functionality.
Instruction Scope
SKILL.md and the script instruct the agent to open a local HTTP server and require the host to be reachable from the internet (via cloudflared/ngrok or direct exposure). This is necessary for real-time webhooks but is a meaningful operational risk: it grants inbound network access and requires the user to configure public tunnels or port forwarding.
Install Mechanism
No download/install spec; the skill is instruction + a small Python script. package.json only sets executable bit for the script and lists 'requests' (expected). No remote archives or opaque install steps are used.
Credentials
All required environment variables are directly related to Vapi telephony operation. Optional vars (WEBHOOK_PORT, VAPI_LLM_PROVIDER, VAPI_LLM_MODEL) are documented in SKILL.md. The skill needs an API key (sensitive) and a public webhook URL — both justified by the service but should be scoped to a dedicated account/key if possible.
Persistence & Privilege
The skill does not request 'always:true' or privileged platform-wide settings. It writes logs to ~/.openclaw/workspace/logs/vapi-calls which is expected for call records; consider filesystem permissions and retention. The agent runs a temporary HTTP server during calls — no long-term background daemon or config changes beyond the log files.
Assessment
This skill appears to do what it says (make autonomous AI phone calls) and its required env vars match that purpose. Before installing: 1) Understand you must expose a local webhook endpoint (ngrok/cloudflared or open port) — this increases attack surface; prefer a dedicated tunneling session and firewall rules that only forward the webhook port. 2) Use a dedicated Vapi API key/account with minimal privileges and rotate/delete the key if you stop using the skill. 3) Verify the skill's source: registry metadata lists 'source: unknown' and homepage missing, even though SKILL.md references a GitHub repo — confirm the upstream repository and maintainer before trusting the code. 4) Review and secure the directory where logs are written (~/.openclaw/workspace/logs/vapi-calls) because call transcripts and summaries may contain sensitive data. 5) If you cannot accept exposing a webhook endpoint or providing an API key, do not install. If you proceed, run in an isolated environment (VM or container) and limit network exposure.Like a lobster shell, security has layers — review code before you run it.
latestvk971qgrmb4kqcdbzer1afqh3r982qre6
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3
EnvVAPI_API_KEY, VAPI_ASSISTANT_ID, VAPI_PHONE_NUMBER_ID, WEBHOOK_BASE_URL