通义晓蜜 - 智能外呼
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent for launching Aliyun outbound-call campaigns, but it handles real phone lists, Aliyun credentials, and a large bundled script, so users should review and confirm each use carefully.
Install/use this only if you intend to run Aliyun Xiaomi outbound-call tasks. Before each run, confirm the exact phone list, call purpose, caller identity/script, and Aliyun account being used; use least-privilege credentials and avoid unnecessary personal data.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A wrong phone list or scenario could cause unwanted calls, costs, or reputational/compliance issues.
The skill can initiate batch outbound calls, which is a high-impact external action. The same instructions require explicit confirmation, so this is disclosed and controlled but still important for users to notice.
触发阿里云晓蜜外呼机器人任务,自动批量拨打电话 ... 执行前必须确认 ... 等待明确确认后才执行
Before running it, verify the phone numbers, call purpose, consent/compliance basis, and final confirmation message; avoid large batches unless the user clearly approved them.
Anyone with access to these credentials may be able to use the associated Aliyun outbound bot permissions.
The skill requires Aliyun AccessKey credentials, and the guide suggests storing them persistently in shell configuration. This is expected for the Aliyun integration, but it grants cloud-account authority.
需要设置以下环境变量: ALIYUN_OUTBOUND_BOT_ACCESS_KEY_ID ... ALIYUN_OUTBOUND_BOT_ACCESS_KEY_SECRET ... 永久配置(推荐)
Use a least-privilege RAM user/key scoped to the needed Xiaomi outbound bot APIs, protect local shell config files, and rotate or revoke keys if no longer needed.
Users must trust the bundled JavaScript that performs the outbound-call integration.
The skill ships a large executable bundle but has limited provenance information and no install specification. The static scan reported clean, so this is a provenance/readability note rather than evidence of malicious behavior.
Source: unknown; Homepage: none; No install spec; scripts/bundle.js (3210566 bytes)
Prefer installing from a known publisher, review the bundle or obtain source/provenance details if this will be used with production credentials or customer data.
Customer or candidate phone numbers and related details may be sent to Aliyun and used to place calls.
The skill processes phone numbers and contact/candidate records from users or previous tools for use with the Aliyun outbound-call service. This data flow is purpose-aligned but involves personal data.
"phoneNumbers": ["13800138000"] ... "candidates": [{ "name": "张三", "phone": "13800138000", "score": 85 }] ... CRM/外部工具格式Send only the minimum necessary fields, avoid unnecessary sensitive details, and ensure the user has a lawful/appropriate basis to contact the listed people.
Recipients could be misled if an auto-generated persona or company identity is inaccurate.
The skill encourages generating a detailed caller persona and opening prompt. This can be legitimate for configuring a bot, but users should ensure the generated identity and company details are truthful and approved.
系统会根据 scenarioDescription 智能推断合适的配置 ... "name": "李敏", "gender": "女", "age": 28 ... "openingPrompt": "您好,我是XX公司的招聘专员李敏"
Have the user explicitly review the caller identity, organization, and opening script; disclose automation where required by policy or law.