ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

VAPI Calls

v1.0.0

Advanced AI voice assistant for phone calls. Capable of persuasion, sales, restaurant bookings, reminders, and notifications.

1· 2.6k·8 current·8 all-time
bycmorillas@cmorillas99-cyber
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (AI phone call assistant) aligns with the required environment variables (VAPI_API_KEY, VAPI_ASSISTANT_ID, VAPI_PHONE_NUMBER_ID, WEBHOOK_BASE_URL) and with the Python script that posts to api.vapi.ai and runs a webhook server to collect call events.
Instruction Scope
SKILL.md explicitly instructs the operator to expose a local port to the internet (cloudflared/ngrok) and to provide a public WEBHOOK_BASE_URL; the Python script starts an HTTP server and accepts webhook payloads for the expected call lifecycle. This behavior is consistent with the skill's purpose but is a significant operational/security requirement (public-facing endpoint, inbound requests). The skill will send your VAPI_API_KEY in Authorization headers to api.vapi.ai as part of normal operation.
Install Mechanism
No formal install spec is provided (instruction-only), which is low-risk. However, there is a package.json with a postinstall chmod and a 'requests' dependency entry (node) while SKILL.md expects pip 'requests' and the code is Python. This mismatch is a minor incoherence you should verify (the package.json may be leftover or misleading). There are no downloads from arbitrary URLs.
Credentials
Requested environment variables are limited and match the service's needs. No unrelated credentials or broad system paths are requested. The skill does write local log files under ~/.openclaw/workspace/logs/vapi-calls, which is expected but notable.
Persistence & Privilege
The skill does not request always:true and does not modify other skills. It does open a local HTTP server and writes logs to the user's home directory during runs — expected for a webhook-based call manager, but you should be aware of the network exposure requirement and local files written.
Assessment
This skill appears to do what it says (make autonomous phone calls), but take these precautions before installing/using it: - Understand the network exposure: you must provide a publicly reachable WEBHOOK_BASE_URL (via ngrok, Cloudflare Tunnel, or a public server). That means inbound traffic will reach a server running on your machine; only do this from systems you control and trust. - Protect the API key: VAPI_API_KEY is sent in Authorization headers to api.vapi.ai. Treat it as a secret — use an account/key with limited scope and rotate/revoke keys if needed. - Verify the source: SKILL.md references a GitHub repo, but the skill's homepage/source are listed as unknown. If you plan to use it in production, inspect the repository or author history to confirm authenticity. - Packaging mismatch: SKILL.md asks for pip 'requests' and the code is Python, but package.json lists an npm dependency and a postinstall chmod. This is likely harmless leftover, but verify installation steps and avoid running untrusted package managers or scripts without review. - Legal and ethical considerations: automated calls (sales, persuasion) have regulatory and consent implications in many jurisdictions. Ensure recipients have provided consent and you understand applicable laws and platform billing. - Isolation: run first in an isolated/test environment (VM/container) and use ephemeral/test credentials. Check the logs written under ~/.openclaw/workspace/logs/vapi-calls to confirm expected behavior. If any of the above is unacceptable or you cannot verify the upstream source, treat the skill as untrusted and do not provide production credentials or expose sensitive systems to it.

Like a lobster shell, security has layers — review code before you run it.

automationvk975gcqwt1tpn0chq5fmepx00980hrzncallsvk975gcqwt1tpn0chq5fmepx00980hrznlatestvk975gcqwt1tpn0chq5fmepx00980hrznphonvk975gcqwt1tpn0chq5fmepx00980hrzntelephonyvk975gcqwt1tpn0chq5fmepx00980hrznvapivk975gcqwt1tpn0chq5fmepx00980hrznvoicevk975gcqwt1tpn0chq5fmepx00980hrznvoice agentvk975gcqwt1tpn0chq5fmepx00980hrzn
2.6kdownloads
1stars
1versions
Updated 15h ago
v1.0.0
MIT-0
cmorillas@cmorillas99-cyber
automationcallslatestphontelephonyvapivoicevoice agent
Download

Vapi Calls - Agent Instructions

Use this skill to perform any task that requires voice interaction over the phone.

Configuration & Network Requirements

⚠️ IMPORTANT: This skill requires your machine to be reachable from the internet to receive real-time call updates.

1. Environment Variables

Configure these in your OpenClaw config.json (or Gateway env):

  • VAPI_API_KEY: Your Vapi Private API Key.
  • VAPI_ASSISTANT_ID: The ID of the Vapi Assistant to use as a base.
  • VAPI_PHONE_NUMBER_ID: The ID of the Vapi Phone Number.
  • WEBHOOK_BASE_URL: Crucial. The public HTTPS URL where this agent is reachable (e.g., https://my-claw.com or https://xyz.ngrok-free.app). Do not include a trailing slash.
  • WEBHOOK_PORT (Optional): The local port to listen on (Default: 4430).
  • VAPI_LLM_PROVIDER: (Optional) Provider for Custom Mode (Default: openai).
  • VAPI_LLM_MODEL: (Optional) Model for Custom Mode (Default: gpt-4o-mini).

2. Connectivity Setup

You must expose the WEBHOOK_PORT (default 4430) to the internet.

Option A: Cloudflare Tunnel (Recommended) cloudflared tunnel --url http://localhost:4430

Option B: Ngrok ngrok http 4430

Set WEBHOOK_BASE_URL to the generated URL (e.g., https://random-name.trycloudflare.com).

Usage

Custom Mission (Dynamic)

Provide a specific system_prompt. The system will automatically use GPT-4o Mini and enable the endCall tool. The AI will be able to hang up autonomously.

Native Agent (Static)

Pass "DEFAULT" for first_message, system_prompt, and end_message. The system will use the exact configuration (Model, Voice, Prompt) defined in the Vapi Dashboard.

Troubleshooting

  • Call hangs / No report: Check if WEBHOOK_BASE_URL is reachable from the internet. The Python script spins up a temporary server on WEBHOOK_PORT only during the call.
  • API 400 Error: Check your VAPI_PHONE_NUMBER_ID and VAPI_ASSISTANT_ID.

Comments

Loading comments...