easy phone call
AdvisoryAudited by VirusTotal on Apr 15, 2026.
Overview
Type: OpenClaw Skill Name: easy-phone-call Version: 1.0.2 The skill is a legitimate wrapper for an outbound AI telephony service provided by skill.black. The Python scripts (make-call.py and query-call.py) are well-structured, using standard libraries to interact with the service's API and manage local logs in a transparent manner. The SKILL.md instructions include critical safety features, such as mandatory user confirmation steps and privacy disclosures regarding the transmission of phone numbers and conversation context to the third-party provider. No evidence of obfuscation, unauthorized data exfiltration, or malicious intent was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or premature invocation could call a real person or business, so the user should carefully confirm the target, number, and purpose.
The skill can initiate real outbound phone calls, including a force-outbound option, but the documentation also requires explicit confirmation before doing so.
仅在用户明确确认后才执行外呼。 ... `uv run scripts/make-call.py --phone "{电话}" --messages '["用户: ..."]' --must-outbound`Keep the confirmation step mandatory and use force-outbound only when the user clearly asks to call despite incomplete details.
Anyone with access to the configured API key may be able to consume the outbound-call service quota or make calls through the account.
The script reads an API key from the environment or config file and uses it to authenticate to the outbound-call service, which is expected for this integration.
api_key = os.environ.get("OUTBOUND_API_KEY", "") ... "X-Access-Key": api_keyStore the API key securely, avoid sharing it in chat, and revoke or rotate it if it is exposed.
The registry summary may make the skill look simpler or less credential-dependent than it is.
SKILL.md declares a required runtime and API key, while the registry metadata lists no required binaries, no required environment variables, and no install spec. This is an under-declaration/provenance gap rather than evidence of hidden behavior.
requires:
bins: ["uv"]
env:
- OUTBOUND_API_KEYBefore installing, verify the skill files, expected API provider, and credential requirements; the publisher should align registry metadata with SKILL.md.
Phone numbers and call conversations may remain on the local machine after the call and could be seen by someone with file access.
The skill explicitly stores phone numbers, conversation content, and call logs locally, which is sensitive persistent context.
请求记录:`memory/skills/requests.jsonl` - 通话日志:`memory/skills/costs.jsonl` - 这两个文件包含 PII(电话号码、对话内容)
Review and delete the local log files when no longer needed, and avoid including unnecessary sensitive details in call instructions.