gycall
v1.0.3Advanced AI voice assistant for phone calls. Capable of persuasion, sales, restaurant bookings, reminders, and notifications.
⭐ 0· 250·0 current·0 all-time
byFreeFly@mrsz
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Benign
medium confidencePurpose & Capability
The name/description (AI phone calls, bookings, reminders, persuasion) match the actual behavior: the script calls https://api.vapi.ai/call, starts a temporary HTTP server to receive Vapi webhooks, and processes call reports and tool calls. Required env vars (VAPI_API_KEY, VAPI_ASSISTANT_ID, VAPI_PHONE_NUMBER_ID, WEBHOOK_BASE_URL) are appropriate for a telephony webhook integration.
Instruction Scope
SKILL.md instructs the user to make the local machine reachable from the internet (Cloudflare Tunnel / ngrok) and to expose a WEBHOOK_PORT; the script spawns an HTTP server bound to 0.0.0.0 to receive call events and saves call results/transcripts to ~/.openclaw/workspace/logs/vapi-calls. This behavior is expected for real-time telephony webhooks but raises operational/privacy concerns (incoming network exposure and persisted transcripts).
Install Mechanism
This is instruction-only with no external download/install step. The bundled Python script uses the requests library and stdlib http.server. There are no obscure download URLs or archive extracts. package.json references requests and a postinstall chmod, but there is no high-risk installer that pulls arbitrary code from an unknown host.
Credentials
Environment variables requested are proportional to the service being used (VAPI API key, assistant and phone IDs, and public webhook base URL). The VAPI_API_KEY is sensitive and should be stored/rotated appropriately; the skill does not request unrelated credentials.
Persistence & Privilege
The skill does not request always:true and can be invoked by the user. It does open a temporary server bound to 0.0.0.0 while running and writes logs (including transcripts) to the user's home directory. These behaviors are expected but increase attack surface and data exposure if run on an unrestricted host.
Assessment
This skill appears to do what it says, but it requires you to make a machine reachable from the internet and provides Vapi with a webhook endpoint. Before installing or running: (1) Protect the VAPI_API_KEY (store it securely and rotate if compromised). (2) Run the skill in an isolated environment (container or dedicated VM) rather than on a machine with sensitive data. (3) Use a trusted tunnel provider (paid/official ngrok or Cloudflare tunnel) and verify WEBHOOK_BASE_URL points to your tunnel. (4) Be aware that call transcripts and reports are written to ~/.openclaw/workspace/logs/vapi-calls — remove or encrypt logs if they contain sensitive info. (5) Confirm legal/regulatory compliance for automated calling in your jurisdiction and watch for potential billing/costs on the Vapi account. (6) If you need higher assurance, request the upstream repository/source and a signed/reproducible release to audit dependencies and code provenance.Like a lobster shell, security has layers — review code before you run it.
latestvk9766jbztexhe5cmwqpzw1hft582qcmr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
Binspython3
EnvVAPI_API_KEY, VAPI_ASSISTANT_ID, VAPI_PHONE_NUMBER_ID, WEBHOOK_BASE_URL