Back to plugin

Security audit

Voice Call

Security checks across malware telemetry and agentic risk

Overview

This official voice-call skill does what it says: it enables OpenClaw to place and handle phone calls through configured telephony providers.

Use the mock provider for testing. For real calls, assume phone numbers, call metadata, and spoken or typed call content may be sent to the configured telephony and speech providers and may be stored in call history. Keep provider credentials secret, leave webhook signature verification enabled, and be careful with open inbound calling, persistent per-phone sessions, and realtime tool policies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (1)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill enables transmission of phone numbers and spoken/message content to third-party telephony providers such as Twilio, Telnyx, or Plivo, but it does not clearly warn users about that data sharing. This can lead to accidental disclosure of personal or sensitive information and uninformed use in environments with privacy, consent, or compliance requirements.

VirusTotal

58/58 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/runtime-entry-DwMgbq2p.js:1455
Evidence
const proc = spawn("tailscale", args, { stdio: [