Stringclaw
v0.0.9Make real phone calls via Stringclaw. Use when the user says 'call me', 'give me a call', 'phone me', or wants to talk by voice. Initiates an outbound voice...
⭐ 0· 342·0 current·0 all-time
byOscar W. Halland@oscarwoha
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name, description, required binary (stringclaw-bridge) and required env var (STRINGCLAW_API_KEY) align with a bridge-based outbound-calling capability. The install (npm @stringclaw/bridge -> stringclaw-bridge) is consistent with the declared purpose.
Instruction Scope
The runtime instructions modify global OpenClaw gateway configuration (enable chatCompletions, set gateway.mode, set gateway.auth.mode) and create a voice agent. They also instruct reading the gateway auth token from OpenClaw config and writing it into the environment for the bridge. Those actions are operationally necessary for the bridge but are system-wide changes and involve reading a local secret (gateway token) that is not listed in the skill's declared requirements.
Install Mechanism
Installation is via an npm package (@stringclaw/bridge) which is a normal distribution mechanism but carries the usual moderate risk of running third-party JavaScript. There is no homepage or source listed in metadata, so you cannot easily inspect the package upstream before install.
Credentials
The skill declares only STRINGCLAW_API_KEY as a required credential (reasonable). However, the instructions read and rely on the OpenClaw gateway auth token (created or read via openclaw config) which is a local secret not declared in requires.env or required config paths. The bridge is started with that token in its environment, meaning the bridge process will have access to the gateway token.
Persistence & Privilege
The skill does not request always:true, but its instructions modify global OpenClaw gateway settings and create an agent (system-wide changes). Those modifications may be required for functionality but should be made consciously since they affect the whole agent environment.
What to consider before installing
This skill appears to do what it says (install a bridge and place outbound calls), but exercise caution before installing. Key points to consider:
- The npm package @stringclaw/bridge is the only install step; verify its source, maintainer, and code before installing (no homepage/source is provided in the skill metadata).
- The instructions will change OpenClaw gateway settings and create a voice agent; these are global changes that affect your environment—make sure you want that.
- The bridge is started with the OpenClaw gateway token set in its environment; the skill reads that token from your OpenClaw config but did not declare it as a required credential. Confirm you are comfortable with a third-party binary/process getting that token.
- Review the npm package contents (or run in an isolated/test environment) and check logs (/tmp/stringclaw-bridge.log) during initial runs.
- If you need lower risk, ask the author for a homepage/source repository and a minimal install artifact you can audit, or request that the skill declare any local secrets/config paths it reads.Like a lobster shell, security has layers — review code before you run it.
latestvk97cjpqwqmg1fb1xhqxdre20ds82988z
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
📞 Clawdis
Binsstringclaw-bridge
EnvSTRINGCLAW_API_KEY
Primary envSTRINGCLAW_API_KEY
Install
Node
Bins: stringclaw-bridge
npm i -g @stringclaw/bridge