ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Gv Caller

v1.0.1

使用 Google Voice 自动拨打电话并播放 AI 生成的语音(TTS)或本地音频。

0· 131·0 current·0 all-time
by@joe12801

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for joe12801/gv-caller.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Gv Caller" (joe12801/gv-caller) from ClawHub.
Skill page: https://clawhub.ai/joe12801/gv-caller
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install gv-caller

ClawHub CLI

Package manager switcher

npx clawhub@latest install gv-caller
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
high confidence
Purpose & Capability
The code and docs consistently implement Google Voice dialing with audio injection via Puppeteer and a virtual microphone, which matches the advertised purpose. However, the skill metadata lists no dependencies while SKILL.md and the scripts require chromium, ffmpeg, puppeteer-core, and an OpenClaw TTS CLI — this is a mismatch.
!
Instruction Scope
SKILL.md instructs the user to place google_voice_cookies.json in the skill directory, but lib/engine.js reads cookies from a hardcoded path '/root/.openclaw/workspace/google_voice_cookies.json'. The engine also reads/writes files under /tmp (TTS outputs and screenshots) and expects an 'openclaw tts' CLI to exist; these file/CLI accesses are not declared in the skill's "Requirements" section and broaden the skill's scope unexpectedly.
Install Mechanism
There is no install spec (instruction-only install), which minimizes installation risk. But runtime requires Node.js modules (puppeteer-core) and native binaries (chromium, ffmpeg); these are not enforced by the registry metadata and must be installed by the user.
!
Credentials
No environment variables or config paths are declared, yet the code requires and reads a sensitive cookie file containing Google session credentials. The cookie path is hardcoded to a root-owned workspace location, which could give the skill access to credentials in a location the user didn't expect. Also the skill relies on an external 'openclaw tts' command and generated files under /tmp, none of which are declared.
!
Persistence & Privilege
always:false (normal), but the skill reads a cookie file from a shared-looking root workspace path: '/root/.openclaw/workspace/google_voice_cookies.json'. That hardcoded path could access credentials or artifacts created by other components or users on the host, which is a privilege concern even though the skill does not explicitly persist itself or alter other skills.
What to consider before installing
This skill does what it claims (automated Google Voice calling with injected audio), but there are several red flags you should resolve before installing or running it: - Protect your Google credentials: the engine reads a cookie file with account session cookies. Confirm where you will store google_voice_cookies.json and avoid putting it in shared/root workspaces. The code currently reads '/root/.openclaw/workspace/google_voice_cookies.json' (hardcoded) — ask the author to make this path configurable or change it to the skill directory before use. - Verify dependencies: you must install Node.js, puppeteer-core (and matching Chromium), ffmpeg, and provide the 'openclaw tts' CLI the script expects. The registry metadata does not declare these; ensure they are present and trustworthy. - Run in isolation: because the skill automates a real Google account and uses session cookies, test it in an isolated environment or with a throwaway Google Voice account to avoid accidental exposure or misuse. - Review and/or patch code: the hardcoded '/usr/bin/chromium' path and '/root/.openclaw/workspace/...' cookie location are brittle and surprising. Change these to configurable options (read from the skill's directory or arguments) and avoid requiring root paths. - Legal/ethical caution: automated outbound calling may be subject to local laws and abuse policies; do not use for harassment or fraud. If the author provides a fixed release that (a) declares required binaries/dependencies, (b) makes the cookie path configurable and documented, and (c) does not read root/shared workspaces by default, this would substantially reduce the concerns.

Like a lobster shell, security has layers — review code before you run it.

latestvk972k40fmy1d5685bs6j51jqpx83cc30
131downloads
0stars
2versions
Updated 1mo ago
v1.0.1
MIT-0
@joe12801
latest
Download

gv-caller 📞

一个让你的 OpenClaw Agent 具备物理外呼能力的黑科技插件。它通过无头浏览器(Puppeteer)直接驱动 Google Voice 网页端,实现低成本、自动化的语音通话。

✨ 核心特性

  • 自动拨号:支持全球号码拨打(遵循 Google Voice 费率)。
  • 音频注入:支持将 AI 生成的语音(TTS)或本地 .wav 文件直接“灌入”通话,对方接听即可听到。
  • 自然语言交互:直接对 Agent 说“给主人打个电话说开会了”,即可自动触发。
  • 持久会话:通过 Cookie 注入,无需反复登录验证。

🛠️ 前置要求

  1. Google Voice 账户:且账户内有足够余额(拨打非美加号码)。
  2. 环境依赖
    • chromium 浏览器
    • ffmpeg (用于音频转码)
    • puppeteer-core (Node.js 库)
  3. 认证信息:需在技能目录下准备好 google_voice_cookies.json

🚀 快速开始

1. 自动提取信息拨打

直接在飞书/控制台对 Agent 说:

"打电话给 +8615912345678 告诉他文档已经写好了。"

2. 命令行手动调用

# 拨打并朗读指定文字
openclaw skills run gv-caller -- --number +86159xxxx --text "你好,任务已完成"

# 拨打并播放本地音频文件
openclaw skills run gv-caller -- --number +86159xxxx --audio /tmp/music.wav --duration 30

⚙️ 配置说明

参数必填默认值说明
--number-目标号码 (E.164格式)
--text-要朗读的文本,支持自动 TTS 转语音
--audio-本地音频路径 (建议 16k/44.1k wav)
--duration60通话保持时长 (秒)

⚠️ 安全与隐私

  • 请妥善保管 google_voice_cookies.json,其中包含您的 Google 账户访问权限。
  • 请遵守当地法律法规,严禁将本工具用于骚扰、电信诈骗或任何非法用途。

Author: Joe & OpenClaw Assistant License: MIT

Comments

Loading comments...