Skillv1.0.0

ClawScan security

Phone Caller · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 24, 2026, 10:24 PM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and instructions largely match a phone-calling purpose (Twilio + ElevenLabs + GPT), but the registry metadata omits required credentials and the runtime instructions perform sensitive actions (public tunnel, third-party uploads, sending iMessage) that are not fully declared — exercise caution.
Guidance: Before installing or running this skill, consider the following: - Metadata mismatch: The registry claims no required env vars, but the SKILL.md and scripts require multiple sensitive keys (ELEVENLABS_API_KEY, TWILIO_ACCOUNT_SID/TWILIO_AUTH_TOKEN/TWILIO_PHONE_NUMBER, OPENAI_API_KEY) and a MASTER_PHONE for iMessage. Treat those keys as sensitive and confirm you are willing to provide them. - iMessage sending: server.py calls a local 'imsg' CLI to send summaries to MASTER_PHONE. That will send messages from your machine/account — only set MASTER_PHONE if you want automatic iMessage output, and verify the 'imsg' tool behavior first. - Public exposure: Interactive mode requires tunneling (localtunnel/ngrok) which exposes your local server to the internet. Only run behind a tunnel you control and on a machine you trust. Consider restricting usage to test numbers and isolated environments. - Third-party hosting: One-way mode uploads generated audio to tmpfiles.org (60m TTL). That stores audio on a third-party server; do not upload sensitive content there. Consider hosting audio yourself or using a trusted storage service. - Least privilege: Use dedicated or limited-scope API keys (Twilio subaccount, ElevenLabs key with limited usage if possible, and a separate OpenAI key) and rotate them after testing. - Platform assumptions: The code assumes availability of Python packages (twilio, flask, openai, requests) and the 'imsg' CLI (macOS). Verify these dependencies and platform compatibility. - Code review & testing: Because the skill contains executable scripts, review the source and run in a sandboxed environment (VM or isolated container) before granting real credentials or calling real phone numbers. Test with verified/test phone numbers and a Twilio trial or subaccount. If you proceed, minimize blast radius: create limited API keys, avoid using personal iMessage accounts, avoid uploading private audio to tmpfiles.org, and monitor network traffic while testing.

Review Dimensions

Purpose & Capability: noteThe skill's stated purpose (make outbound calls using Twilio + ElevenLabs with an optional GPT-driven interactive mode) matches the included scripts. However, the registry metadata claims no required env vars/credentials while SKILL.md and the scripts require multiple sensitive credentials (ELEVENLABS_API_KEY, TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN, TWILIO_PHONE_NUMBER, OPENAI_API_KEY and optional MASTER_PHONE). This mismatch is an integrity/information problem.
Instruction Scope: concernSKILL.md and the server.py instruct the agent/user to: run a public tunnel (localtunnel), host a webhook publicly, upload generated audio to a third-party host (tmpfiles.org) in one-way mode, and automatically send a GPT-generated summary via a local imsg CLI to MASTER_PHONE. The instructions reference /tmp paths, require reading several env vars not declared in the registry, and expose local endpoints to the internet. Those actions expand the scope beyond just 'make a call' and have privacy/exposure implications.
Install Mechanism: noteThere is no install spec (instruction-only), which reduces installer risk. Still, the code assumes presence of Python packages (twilio, flask, openai, requests) and uses 'npx localtunnel' in instructions — none of these are declared. No remote binary downloads are scripted, but the need to run a local server and use third-party services increases operational risk.
Credentials: concernThe scripts legitimately need Twilio and ElevenLabs API credentials and (for interactive mode) an OpenAI key — but the registry lists no required env vars. Additional sensitive items (MASTER_PHONE for iMessage, CALLER_PUBLIC_URL / CALLER_PORT, optional CALLER_VOICE_ID) are used but not declared. Requiring full Twilio account SID/auth token and OpenAI key is proportionate to function but still sensitive; the omission from metadata and automatic iMessage sending are notable issues.
Persistence & Privilege: notealways:false (normal). The skill will run a local Flask server and serve audio files from /tmp while running — this is transient but exposes local endpoints when tunneled to the public internet. The skill also invokes a local 'imsg' binary to send iMessage, which uses the host's messaging capability (sensitive). The skill does not alter other skills or system-wide configs, but running a public webhook and sending messages from the host are elevated operational privileges that users should accept explicitly.