Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
ClawVoice
v1.1.3Initiate and manage outbound phone calls via ClawVoice with guided setup, configuration, and post-call outcome capture.
⭐ 0· 59·0 current·0 all-time
byCody@neocody
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The name, README, SKILL.md, and code all implement a Twilio/Telnyx + Deepgram/ElevenLabs telephony voice plugin — the functionality requested in code matches the stated purpose. However the skill bundle metadata claims "Required env vars: none" while the code and SKILL.md expect many sensitive credentials (Twilio SID/Auth Token, Telnyx API key/connection ID, Deepgram key, ElevenLabs key/agent ID, optional OPENAI key). That metadata omission is an incoherence that could mislead non-technical users.
Instruction Scope
SKILL.md instructs the agent to guide users to provide account credentials interactively (e.g., "Give me both" for Twilio SID/Auth Token) and to run config commands. Asking users to paste secrets into a chat is risky because conversation history/context may capture them. The instructions also require setting public tunnel URLs and making webhooks publicly reachable. Those steps are functionally necessary but expand the scope to collecting and storing many secrets and external endpoints; the instructions do not fully spell out safe handling/storage of those secrets.
Install Mechanism
There is no external download/install spec in the registry entry. The package includes a normal Node.js plugin bundle (package.json, dist/*). Dependencies are small and come from npm (ws, @clack/prompts). No downloads from personal servers or URL-shorteners were found. The code does include a fragile heuristic that probes OpenClaw's internal/bundled exports to find internal APIs — this is not an external install risk but is intrusive (see persistence_privilege).
Credentials
The plugin legitimately needs telephony and voice-provider credentials (Twilio/Telnyx, Deepgram, ElevenLabs) and optionally an OpenAI key for post-call analysis; that matches purpose. But the registry metadata lists no required env vars (inconsistent). The default configuration sets mainMemoryAccess to "read" (meaning voice sessions can read main agent memory) despite README claims about "memory isolation"; this is a risky default and a contradiction that may expose agent memory to phone calls. Several sensitive config fields exist (webhook secrets, API keys) — these are expected but must be treated carefully.
Persistence & Privilege
always:false (good). The plugin registers hooks, tools, CLI commands, and HTTP routes, and includes code that probes OpenClaw internals to locate registerPluginHttpRoute (a fragile and somewhat invasive technique). That probing increases the plugin's ability to attach routes and interact with the host runtime in non-standard ways; combined with the memory-read default, it raises the privilege/impact if misconfigured, but the skill is not force-included and does not request system-level always-on privileges.
Scan Findings in Context
[system-prompt-override] expected: The SKILL.md instructs how to configure an ElevenLabs system prompt and requires inserting a placeholder ({{ _system_prompt_ }}). This looks like a legitimate requirement for ElevenLabs conversational agents, but the pattern also matches common prompt-injection vectors; the plugin includes runtime prompt-injection detection in hooks.js which helps, yet the presence of the pattern in setup instructions triggered the scanner.
What to consider before installing
Summary and recommended actions before installing:
1) Metadata mismatch: The registry entry says "no required env vars", but the code and README expect Twilio/Telnyx credentials, Deepgram and/or ElevenLabs API keys, and optionally an OpenAI key. Treat those as required for operation and do not paste them into public chats.
2) Do NOT provide secrets in an untrusted chat session. If the setup wizard asks for keys, use the local CLI (openclaw config set ...) or set environment variables on the host rather than typing keys into free-form conversation that may be logged.
3) Memory isolation: The README claims voice memory sandboxing, but default config sets mainMemoryAccess to "read". If you require isolation, explicitly set clawvoice.mainMemoryAccess to "none" before enabling inbound/outbound calls and test thoroughly.
4) Webhook/tunnel exposure: The plugin requires a publicly reachable webhook/WSS endpoint (ngrok/Cloudflare/Tailscale). Exposing a local service to the internet has operational risk; ensure you secure endpoints (use webhook signing secrets, verify provider signatures) and rotate credentials.
5) Internal probing: The plugin contains code that heuristically probes OpenClaw internals to register HTTP routes. This is fragile and more invasive than a simple use of documented APIs. Consider this if you need a stable, auditable plugin surface — prefer plugins that use documented extension points.
6) Verify provenance: The source/homepage is unknown in the registry entry, README points to clawvoice.io and a GitHub repo. Verify that domain/repo are controlled by a known maintainer, check commit history and recent releases, and prefer installing from an official or well-audited source.
7) Least privilege & defaults: Before enabling calls, review config values: set dailyCallLimit, disable recordCalls if undesired, enable webhook signing and verify it in code, and change mainMemoryAccess if you want stronger isolation.
8) If unsure, ask the publisher for clarification (why registry metadata lists no env vars, why memory access default is read) and request an explanation of how secrets are stored and rotated. If you cannot validate provenance and handling of secrets/memory, do not install.
These inconsistencies and defaults make the skill "suspicious" (coherent purpose but risky configuration and metadata omissions).dist/cli.js:1047
Environment variable access combined with network send.
dist/index.js:474
Environment variable access combined with network send.
dist/cli.js:1054
File read combined with network send (possible exfiltration).
dist/index.js:539
File read combined with network send (possible exfiltration).
README.md:169
Prompt-injection style instruction pattern detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9775p61t5tntz19712012wvrs844ddc
License
MIT-0
Free to use, modify, and redistribute. No attribution required.