ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

FlowConcierge — AI Phone Receptionist for Any Business

v1.1.0

AI phone receptionist for any business. Point it at your website and it scrapes your content, builds a knowledge base, spins up a VAPI voice assistant, conne...

0· 383·0 current·0 all-time
by@windseeker1111

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for windseeker1111/flowconcierge.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "FlowConcierge — AI Phone Receptionist for Any Business" (windseeker1111/flowconcierge) from ClawHub.
Skill page: https://clawhub.ai/windseeker1111/flowconcierge
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Canonical install target

openclaw skills install windseeker1111/flowconcierge

ClawHub CLI

Package manager switcher

npx clawhub@latest install flowconcierge
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The code and SKILL.md align with the stated purpose: it scrapes a site, uploads a KB to VAPI, creates a voice assistant, buys/connects Twilio numbers, and logs calls to HubSpot. However the registry metadata claims no required environment variables or primary credential even though the skill expects VAPI, Twilio, and HubSpot credentials—this mismatch is unexpected and should have been declared.
!
Instruction Scope
Runtime instructions and the script ask the agent/user to scrape arbitrary websites (a 3-tier cascade that includes stealth and full-JS fetchers and explicitly says it 'punches through Cloudflare'), expose a local webhook via ngrok, and transmit website content plus call transcripts to external services (VAPI, HubSpot, Twilio). The skill will accept API keys via flags or env vars; those sensitive items are used to contact third-party APIs and to buy phone numbers. The scraping behavior (circumventing protections) and automatic transmission of transcripts/KB to external services are privacy- and policy-sensitive and are broader than a simple 'helper'—flag for caution.
Install Mechanism
install.sh uses pip to install 'scrapling' and runs Playwright's browser install. This is a common approach for scraping tools but will download browser binaries and install a PyPI package. The script also modifies the user's shell rc to add an alias (writes to ~/.zshrc or ~/.bashrc) — a persistent change that should be disclosed and reviewed. There is no remote arbitrary binary download or obscure host used.
!
Credentials
The skill legitimately needs several sensitive credentials (VAPI API key, Twilio SID/auth token, HubSpot API key) — which the script and SKILL.md use — but the registry metadata lists no required env vars or primary credential. That omission is an incoherence: the platform should have declared these required secrets. In addition, the tool will send transcripts, caller phone numbers, and scraped website content to third-party services: ensure you trust those services and are comfortable with sharing that data. Auto-buying Twilio numbers can incur charges.
Persistence & Privilege
The skill is not force-installed (always:false) and does not request elevated platform privileges. Its persistent effects are: adding an alias to a shell rc file and installing Playwright browser binaries and a Python package. Those are persistent on the host and worth noting, but are not unusual for this kind of tool.
What to consider before installing
This skill appears to implement the advertised functionality, but pay attention to these points before installing or running with real credentials: - Credentials: The skill requires sensitive API keys (VAPI, Twilio, HubSpot). The registry metadata did not declare those requirements — verify and only provide keys you trust and control. Consider using throwaway/test accounts or API keys with limited scopes for initial testing. - Data flow & privacy: The skill scrapes your website and uploads that content and call transcripts to third-party services (VAPI and HubSpot). If your website contains private or regulated data, or if you cannot share call content with those services, do not run this in production. - Scraping behavior: The scraper uses stealth and JS fetchers and advertises bypassing protections (Cloudflare). That may violate target site terms of service or local law—confirm you have the right to scrape the site. - Costs & billing: Auto-buying Twilio numbers and sending SMS can incur charges. Review billing settings and limits on your Twilio account before allowing the tool to purchase numbers. - Installation side-effects: install.sh will pip-install packages, download Playwright browser binaries, and add an alias to your shell rc. Review the installer contents and consider running inside an isolated environment (container or VM) first. - Review code & network behavior: Although no obvious exfiltration endpoints beyond the advertised APIs were found, review scripts/flowconcierge.py and test in an isolated environment. Monitor outbound network requests (which services are contacted) during a dry run. What would change this assessment: if the registry metadata were updated to explicitly declare required env vars/credentials and the author provided a clear privacy/data-flow statement (where scraped content and transcripts go, retention, and data protection), my confidence would rise to benign. Conversely, any hidden endpoints, additional undeclared credentials, or code that sends data to unknown hosts would raise the severity to malicious.

Like a lobster shell, security has layers — review code before you run it.

Runtime requirements

🦞 Clawdis
latestvk97asa792rp78bkn0mvsk1grm983e6k5
383downloads
0stars
3versions
Updated 6h ago
v1.1.0
MIT-0
@windseeker1111
latest
Download

FlowConcierge

Any business. AI receptionist. Live in hours.

Point it at your website. It scrapes your content, builds a knowledge base, spins up a VAPI voice assistant, auto-buys a phone number, and logs every call to HubSpot CRM — with optional SMS follow-ups to every caller.

Free from the Flow team. 🦞

Prerequisites

You need accounts on (all have free/trial tiers):

  • VAPI — AI voice agent (vapi.ai)
  • Twilio — Phone number + SMS ($15 trial credit, number ~$1/mo)
  • HubSpot — Free CRM (free forever tier)

Install

npx clawhub@latest install windseeker1111/flowconcierge
cd skills/flowconcierge && bash install.sh

That's it. install.sh installs scrapling, sets up Playwright, and adds a flowconcierge command to your shell.

Quickstart

Step 1 — Spin up your AI receptionist:

python3 scripts/flowconcierge.py setup https://yourbusiness.com \
  --name "My Business" \
  --vapi-key YOUR_VAPI_KEY \
  --twilio-sid YOUR_TWILIO_SID \
  --twilio-token YOUR_TWILIO_TOKEN

FlowConcierge will:

  1. Scrape your website using a 3-tier Scrapling cascade (punches through Cloudflare)
  2. Upload a structured knowledge base to VAPI
  3. Create a voice assistant (GPT-4o-mini + ElevenLabs Rachel voice)
  4. Auto-buy a local Twilio phone number and connect it

Step 2 — Start the webhook server (logs calls to HubSpot):

python3 scripts/flowconcierge.py webhook \
  --hubspot-key YOUR_HUBSPOT_KEY \
  --twilio-sid YOUR_TWILIO_SID \
  --twilio-token YOUR_TWILIO_TOKEN \
  --twilio-from +15550001234 \
  --business-name "My Business" \
  --sms-followup

Step 3 — Expose your webhook (so VAPI can reach it):

ngrok http 8080
# Copy the https:// URL and add --webhook-url to your setup command

Commands

setup — Create a new AI receptionist

# From a website URL (auto-scrapes)
python3 scripts/flowconcierge.py setup https://mybusiness.com --vapi-key KEY

# From your own knowledge base markdown file
python3 scripts/flowconcierge.py setup --kb my-kb.md --name "Grand Hotel" --vapi-key KEY

# Full setup — auto phone number, preferred area code, webhook URL
python3 scripts/flowconcierge.py setup https://mybusiness.com \
  --name "My Business" \
  --vapi-key KEY \
  --twilio-sid SID \
  --twilio-token TOKEN \
  --area-code 415 \
  --webhook-url https://your-ngrok-url.ngrok.io

Options:

  • --name — Business name (auto-detected from URL if omitted)
  • --vapi-key — VAPI API key (or set VAPI_API_KEY env var)
  • --twilio-sid / --twilio-token — Auto-buy a Twilio phone number
  • --phone — Connect an existing phone number instead
  • --area-code — Preferred area code for auto-bought number
  • --webhook-url — VAPI server URL for call event delivery
  • --kb — Path to a markdown knowledge base file
  • --lang — Language code (default: en)

webhook — Log calls to HubSpot + send SMS follow-ups

python3 scripts/flowconcierge.py webhook \
  --port 8080 \
  --hubspot-key KEY \
  --twilio-sid SID \
  --twilio-token TOKEN \
  --twilio-from +15550001234 \
  --business-name "My Business" \
  --sms-followup

Listens for VAPI end-of-call-report events. On each call:

  1. Creates or updates a HubSpot contact from the caller's phone number
  2. Logs a call note with the AI-generated summary and transcript
  3. Sends an SMS follow-up to the caller (if --sms-followup is set)

Environment variable alternatives: HUBSPOT_API_KEY, TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN, TWILIO_FROM_NUMBER

list — Show active assistants

python3 scripts/flowconcierge.py list --vapi-key KEY

delete — Remove an assistant

python3 scripts/flowconcierge.py delete asst_abc123 --vapi-key KEY

How It Works

Your website URL
    │
    ▼  Scrapling 3-tier cascade (plain HTTP → stealth TLS → full JS)
    │
    ▼  Knowledge base uploaded to VAPI
    │
    ▼  Voice assistant created (GPT-4o-mini + ElevenLabs)
    │
    ▼  Twilio number bought and connected
    │
    ▼  Caller dials in → VAPI answers using your KB
    │
    ▼  Call ends → webhook → HubSpot contact + call note logged
    │
    ▼  SMS follow-up sent to caller automatically

Environment Variables

VariableDescription
VAPI_API_KEYVAPI API key
TWILIO_ACCOUNT_SIDTwilio account SID
TWILIO_AUTH_TOKENTwilio auth token
TWILIO_FROM_NUMBERYour Twilio number for SMS
HUBSPOT_API_KEYHubSpot private app token

Free from the Flow team 🦞

Comments

Loading comments...