电话外呼与自动通知
PassAudited by VirusTotal on May 6, 2026.
Overview
Type: OpenClaw Skill Name: smallkeyboy-outbound-call Version: 1.0.0 The skill bundle is a legitimate implementation for making outbound calls via the ElevenLabs API. The Python script (call.py) uses standard libraries, performs basic regex validation on phone numbers, and communicates only with the official ElevenLabs endpoint (api.elevenlabs.io). No evidence of data exfiltration, malicious execution, or harmful prompt injection was found.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A mistaken or unauthorized invocation could call the wrong person or incur telephony/provider charges.
The skill enables an agent to initiate real outbound phone calls, but the documented workflow explicitly requires confirmation and consent before use.
Run the call script with a phone number... python3 skills/outbound-call/call.py +1XXXXXXXXXX ... ALWAYS confirm the phone number with the user before placing a call ... NEVER place a call without explicit user consent
Only invoke it after confirming the exact number, recipient, purpose, and opening message with the user.
Anyone or any agent flow with access to the configured key could potentially consume account quota or place calls through the linked ElevenLabs/Twilio setup.
The script uses an ElevenLabs API key from the environment to authenticate outbound-call requests.
API_KEY = os.environ.get("ELEVENLABS_API_KEY", "") ... "xi-api-key": API_KEYUse a dedicated, least-privileged key if available, keep it out of logs and prompts, rotate it if exposed, and monitor provider usage.
Call context may contain personal, customer, appointment, billing, or other sensitive information that will be processed by the external provider.
The phone number, optional first message, and optional call context are sent to an external ElevenLabs/Twilio call workflow.
API_URL = "https://api.elevenlabs.io/v1/convai/twilio/outbound-call" ... client_data["dynamic_variables"] = {"call_context": context}Send only the minimum call context needed, avoid unnecessary sensitive details, and review ElevenLabs/Twilio retention and compliance settings.
It may be harder to confirm the exact origin or intended release of the packaged skill.
The included package metadata does not match the registry listing, which reports slug smallkeyboy-outbound-call and version 1.0.0. The code is included and reviewable, so this is a provenance/version verification note rather than evidence of unsafe behavior.
"slug": "outbound-call", "version": "0.1.5"
Verify the repository or publisher before installing, especially because the skill uses a live calling account.