Sip Voice Call Control
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill is mostly coherent for a Telnyx voice assistant, but it exposes a persistent public calling interface with tool execution, local gateway credentials, and workspace memory access that are not clearly bounded.
Review carefully before installing. If you use it, restrict allowed callers, avoid exposing it publicly without authentication, limit memory-search paths, scope gateway permissions, and stop the persistent process when not in active use.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Someone interacting with the voice assistant could potentially cause reminders to be deleted or messages to be sent if the assistant interprets the call that way.
The voice model is given tools that can mutate reminders/scheduled tasks and send messages. The provided artifacts do not show a clear confirmation gate or caller authorization before these high-impact tools are executed.
name: 'remove_cron_job' ... description: 'DELETE/REMOVE an existing cron job or reminder' ... name: 'send_message' ... description: 'Send a message to a specific person or channel.'
Require explicit user confirmation for mutating or outbound-message actions, and restrict which callers or phone numbers can invoke tools.
Anyone who learns or guesses the SIP address may be able to talk to the assistant and try to trigger its tools.
The Telnyx Call Control application is configured to accept SIP calls from anyone to the generated subdomain. The artifacts do not show an allowlist, caller identity check, or other boundary before calls reach the assistant.
inbound: { sip_subdomain: sipSubdomain, sip_subdomain_receive_settings: 'from_anyone' }Use Telnyx caller restrictions, an allowlist, PIN/passphrase, or another authentication step before exposing voice tool access.
The voice server may gain access to local OpenClaw gateway capabilities, including messaging or other tools, beyond the Telnyx account access the user expects.
The code reads local OpenClaw/Clawdbot gateway authentication tokens, but the declared primary credential is only TELNYX_API_KEY. This expands delegated local-tool authority without a clear credential contract.
const configPaths = [`${homedir}/.openclaw/openclaw.json`, `${homedir}/.clawdbot/clawdbot.json`]; ... GATEWAY_TOKEN = config.gateway?.auth?.token || '';Declare this credential/config access explicitly, scope the gateway token to only needed tools, and require user approval before using gateway-backed actions.
Private workspace notes or memory could be disclosed during a phone call if the caller can access the assistant.
The skill exposes a memory-search tool over the voice interface and points it at workspace files, but the artifacts do not clearly bound paths, exclusions, caller access, or what private content may be returned.
`WORKSPACE_DIR` | No | `~/clawd` | For memory search tool ... `search_memory` ... Searches workspace files
Limit searchable paths, exclude secrets/private files, and require caller authentication before memory search is enabled.
The assistant may continue accepting calls and tool requests after the original setup session ends.
The skill is intended to keep running after setup. Persistent operation is expected for a phone server, but the artifacts do not pair it with strong caller restrictions or automatic shutdown controls.
Start in Background (Persistent) ... nohup npm run start > sip-voice-call-control.log 2>&1 & ... Always use `nohup` or a process manager for production.
Only run it persistently when needed, document how to stop it, and add access controls before leaving it online.
Future installs may pull newer dependency versions than the ones the author tested.
The skill installs npm dependencies using semver ranges, and no lockfile is present in the provided file manifest. This is common but reduces reproducibility of the installed code.
"dependencies": { "dotenv": "^17.2.3", "express": "^4.18.2", "openai": "^6.17.0", "telnyx": "^2.0.0" }Prefer a reviewed lockfile or pin dependencies before production use.