ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

FlowConcierge

AI phone receptionist for any business. Point it at your website and it scrapes your content, builds a knowledge base, spins up a VAPI voice assistant, conne...

MIT-0 · Free to use, modify, and redistribute. No attribution required.
0 · 210 · 0 current installs · 0 all-time installs
by@windseeker1111
MIT-0
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
Name/description match the implementation: the code scrapes a site, uploads a KB to VAPI, creates an assistant, interacts with Twilio and HubSpot. However the registry metadata claims 'no required env vars' and 'instruction-only/no install spec' while the SKILL.md + code clearly require API keys and include an install.sh and Python scripts — this mismatch is an incoherence that reduces trust in the package metadata.
!
Instruction Scope
SKILL.md instructs scraping (including a 3-tier cascade that claims to 'punch through Cloudflare'), creating assistants, auto-buying Twilio numbers, and exposing a local webhook (ngrok). The code will collect caller phone numbers, transcripts, and AI summaries and post them to HubSpot — these are privacy-sensitive operations. Running ngrok exposes a local endpoint publicly. The scraping behavior (stealth/dynamic tiers) and instructions to auto-purchase numbers increase risk surface and could be used for abuse if misconfigured.
Install Mechanism
install.sh runs pip install scrapling and runs Playwright's browser install; requirements.txt pins scrapling>=0.4.0. This is a standard Python install approach but will download browsers and install packages without pinned versions. The installer also writes an alias into the user's shell rc (~/.zshrc or ~/.bashrc), modifying dotfiles — an expected but intrusive change. No downloads from unknown personal servers were observed.
!
Credentials
The skill legitimately needs VAPI, Twilio, and HubSpot credentials, and SKILL.md documents these env vars and CLI flags. That is proportional to the functionality. However the registry metadata did not declare any required env vars or a primary credential — a mismatch that can mislead users about what secrets are needed. The required credentials are sensitive (Twilio can charge and send SMS; HubSpot stores personal data).
Persistence & Privilege
always:false and normal autonomous invocation are fine. The installer modifies the user's shell profile to add an alias (writes to ~/.zshrc or ~/.bashrc). The skill does not request always:true or appear to modify other skills or system-wide agent settings. Still, because it suggests running a publicly reachable webhook (ngrok) and will auto-buy phone numbers, these behaviors carry operational risk.
What to consider before installing
This skill appears to implement the features it advertises, but there are several red flags and operational risks to consider before installing: - Metadata mismatch: the registry claims no required env vars and 'instruction-only', but the package includes install.sh and Python code and clearly needs VAPI, Twilio, and HubSpot keys. Treat the registry info as unreliable. - Sensitive credentials: you must provide Twilio (billing + SMS), HubSpot (CRM/contact data), and VAPI keys. Use least-privilege tokens, a dedicated/test account, and rotate/revoke keys if you stop using the skill. - Costs & side-effects: the script can auto-buy Twilio numbers (real charges). Expect possible billing from Twilio. Confirm area-code and purchase behavior before running 'setup'. - Privacy & data flow: call transcripts and caller phone numbers are sent to HubSpot and VAPI. That may contain personally identifiable information; ensure you have consent and correct data-handling controls. - Install changes & network exposure: install.sh installs packages and Playwright browsers and adds an alias to your shell rc. The skill recommends using ngrok to expose a webhook — exposing local endpoints is a risk; run behind a secure public endpoint or in an isolated environment. - Source trust: source/homepage is unknown. If you plan to use it, review scripts (flowconcierge.py and install.sh) yourself or run them in an isolated VM/container. Consider pinning Python package versions and running pip installs in a venv. Recommended actions before installing: review the full scripts line-by-line, run in a disposable VM or container, require explicit approval before any Twilio purchase, restrict API key scopes where possible, and confirm legal/privacy compliance for recording/transmitting caller data.

Like a lobster shell, security has layers — review code before you run it.

Current versionv1.0.1
Download zip
latestvk978s5baw3a9464pqn5z16t9n1828qwh

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦞 Clawdis

SKILL.md

FlowConcierge

Any business. AI receptionist. Live in hours.

Point it at your website. It scrapes your content, builds a knowledge base, spins up a VAPI voice assistant, auto-buys a phone number, and logs every call to HubSpot CRM — with optional SMS follow-ups to every caller.

Free from the Flow team. 🦞

Prerequisites

You need accounts on (all have free/trial tiers):

  • VAPI — AI voice agent (vapi.ai)
  • Twilio — Phone number + SMS ($15 trial credit, number ~$1/mo)
  • HubSpot — Free CRM (free forever tier)

Install

npx clawhub@latest install windseeker1111/flowconcierge
cd skills/flowconcierge && bash install.sh

That's it. install.sh installs scrapling, sets up Playwright, and adds a flowconcierge command to your shell.

Quickstart

Step 1 — Spin up your AI receptionist:

python3 scripts/flowconcierge.py setup https://yourbusiness.com \
  --name "My Business" \
  --vapi-key YOUR_VAPI_KEY \
  --twilio-sid YOUR_TWILIO_SID \
  --twilio-token YOUR_TWILIO_TOKEN

FlowConcierge will:

  1. Scrape your website using a 3-tier Scrapling cascade (punches through Cloudflare)
  2. Upload a structured knowledge base to VAPI
  3. Create a voice assistant (GPT-4o-mini + ElevenLabs Rachel voice)
  4. Auto-buy a local Twilio phone number and connect it

Step 2 — Start the webhook server (logs calls to HubSpot):

python3 scripts/flowconcierge.py webhook \
  --hubspot-key YOUR_HUBSPOT_KEY \
  --twilio-sid YOUR_TWILIO_SID \
  --twilio-token YOUR_TWILIO_TOKEN \
  --twilio-from +15550001234 \
  --business-name "My Business" \
  --sms-followup

Step 3 — Expose your webhook (so VAPI can reach it):

ngrok http 8080
# Copy the https:// URL and add --webhook-url to your setup command

Commands

setup — Create a new AI receptionist

# From a website URL (auto-scrapes)
python3 scripts/flowconcierge.py setup https://mybusiness.com --vapi-key KEY

# From your own knowledge base markdown file
python3 scripts/flowconcierge.py setup --kb my-kb.md --name "Grand Hotel" --vapi-key KEY

# Full setup — auto phone number, preferred area code, webhook URL
python3 scripts/flowconcierge.py setup https://mybusiness.com \
  --name "My Business" \
  --vapi-key KEY \
  --twilio-sid SID \
  --twilio-token TOKEN \
  --area-code 415 \
  --webhook-url https://your-ngrok-url.ngrok.io

Options:

  • --name — Business name (auto-detected from URL if omitted)
  • --vapi-key — VAPI API key (or set VAPI_API_KEY env var)
  • --twilio-sid / --twilio-token — Auto-buy a Twilio phone number
  • --phone — Connect an existing phone number instead
  • --area-code — Preferred area code for auto-bought number
  • --webhook-url — VAPI server URL for call event delivery
  • --kb — Path to a markdown knowledge base file
  • --lang — Language code (default: en)

webhook — Log calls to HubSpot + send SMS follow-ups

python3 scripts/flowconcierge.py webhook \
  --port 8080 \
  --hubspot-key KEY \
  --twilio-sid SID \
  --twilio-token TOKEN \
  --twilio-from +15550001234 \
  --business-name "My Business" \
  --sms-followup

Listens for VAPI end-of-call-report events. On each call:

  1. Creates or updates a HubSpot contact from the caller's phone number
  2. Logs a call note with the AI-generated summary and transcript
  3. Sends an SMS follow-up to the caller (if --sms-followup is set)

Environment variable alternatives: HUBSPOT_API_KEY, TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN, TWILIO_FROM_NUMBER

list — Show active assistants

python3 scripts/flowconcierge.py list --vapi-key KEY

delete — Remove an assistant

python3 scripts/flowconcierge.py delete asst_abc123 --vapi-key KEY

How It Works

Your website URL
    │
    ▼  Scrapling 3-tier cascade (plain HTTP → stealth TLS → full JS)
    │
    ▼  Knowledge base uploaded to VAPI
    │
    ▼  Voice assistant created (GPT-4o-mini + ElevenLabs)
    │
    ▼  Twilio number bought and connected
    │
    ▼  Caller dials in → VAPI answers using your KB
    │
    ▼  Call ends → webhook → HubSpot contact + call note logged
    │
    ▼  SMS follow-up sent to caller automatically

Environment Variables

VariableDescription
VAPI_API_KEYVAPI API key
TWILIO_ACCOUNT_SIDTwilio account SID
TWILIO_AUTH_TOKENTwilio auth token
TWILIO_FROM_NUMBERYour Twilio number for SMS
HUBSPOT_API_KEYHubSpot private app token

Free from the Flow team 🦞

Files

5 total
Select a file
Select a file to preview.

Comments

Loading comments…