Skillv1.0.1

ClawScan security

Gemini Live Phone · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 13, 2026, 12:48 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (bridge Twilio ↔ Gemini) but contains several surprising defaults and behavior (hardcoded Twilio SID/from-number, a third‑party PUBLIC_URL, and local structured logging) that are disproportionate or unexplained and warrant review before use.
Guidance: This skill appears to implement a Twilio→Gemini real‑time bridge, but there are red flags you should address before running it with your production credentials: - Hardcoded defaults: the script contains a default TWILIO_ACCOUNT_SID, default TWILIO_FROM phone number, and a default PUBLIC_URL (https://athena.abfs.tech). If you don't explicitly set TWILIO_ACCOUNT_SID, TWILIO_FROM, and PUBLIC_URL, the bridge may behave unexpectedly (attempt to use those defaults or embed that external domain in generated TwiML). Replace those defaults with values you control. - Environment variables: SKILL.md asks for GOOGLE_API_KEY and TWILIO_AUTH_TOKEN; the code will also accept GEMINI_API_KEY and other TWILIO_* env vars. Ensure you supply the correct key name (GEMINI_API_KEY is supported) and do not accidentally expose your credentials to any third party. - Logging and local files: the bridge writes structured logs to /tmp/openclaw including hostname and runtime metadata. Review the logger behavior and the log retention/location if you care about privacy of metadata or call events. - Network exposure: this server must be publicly reachable for Twilio webhooks; run it in a hardened environment (firewalled host, TLS via reverse proxy) and verify the WebSocket/Twiml endpoints before connecting real phone numbers. - Review full code paths: confirm how TwiML responses are constructed (ensure they do not redirect audio/media to the default PUBLIC_URL or any external endpoint you don't control), and verify that no audio or call data is forwarded to third parties without your consent. What would change the assessment: seeing the remaining code that generates TwiML and outbound requests (to confirm whether the default PUBLIC_URL is used to route media or callbacks), removal of hardcoded account values, or an explicit comment from the author that those defaults are only placeholders and will never be used in runtime. If you cannot validate those points, treat this skill as suspicious and run it in an isolated/test environment first.

Review Dimensions

Purpose & Capability: noteName, description, requirements, dependencies (google-genai, twilio) and binaries (python3, uvicorn) align with a Twilio→Gemini real‑time bridge. However the code embeds unexpected defaults (a hardcoded TWILIO_ACCOUNT_SID, default TWILIO_FROM number, and a default PUBLIC_URL pointing at https://athena.abfs.tech) that are not justified by the SKILL.md and are unusual for a user‑run bridge.
Instruction Scope: concernSKILL.md instructs only to set GOOGLE_API_KEY and TWILIO_AUTH_TOKEN and run the bridge. The code reads (and uses) other environment variables if present (TWILIO_ACCOUNT_SID, TWILIO_FROM, PUBLIC_URL, GEMINI_API_KEY), writes structured logs to /tmp/openclaw with hostname and runtime metadata, and likely emits TwiML and WebSocket behavior. The default PUBLIC_URL suggests the service may reference an external domain by default, which could redirect Twilio traffic or metadata externally if not overridden.
Install Mechanism: okNo install spec; this is instruction + code. Dependencies are standard Python packages listed in requirements.txt (fastapi, uvicorn, google-genai, twilio, etc.). No remote downloads or arbitrary archives in the manifest.
Credentials: concernDeclared required envs (GOOGLE_API_KEY, TWILIO_AUTH_TOKEN) map to Gemini and Twilio usage, which is expected. But the code prefers GEMINI_API_KEY or GOOGLE_API_KEY (both supported) and also will use TWILIO_ACCOUNT_SID and TWILIO_FROM from env or fall back to hardcoded defaults. The presence of hardcoded account SID and phone number is unexpected and disproportionate — it could cause accidental cross‑account interactions or leak routing if defaults are used. The logger also records hostname/runtime info to local files, which could contain sensitive metadata.
Persistence & Privilege: okSkill is not always-enabled and is user-invocable. It writes local log files under /tmp/openclaw but does not request system-wide persistent privileges or modify other skills. No evidence of modifying system or other skill configs.