ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Supercall

v2.0.0

Make AI-powered phone calls with custom personas and goals. Uses OpenAI Realtime API + Twilio for ultra-low latency voice conversations. Supports DTMF/IVR na...

6· 1.8k·7 current·9 all-time
by@xonder
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (AI phone calls, DTMF/IVR, Twilio + OpenAI Realtime) align with required env vars (OPENAI_API_KEY, TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN), code files implement Twilio provider, realtime conversation, DTMF generation, and webhook handling. Requesting a tunnel binary (ngrok/tailscale) is consistent with needing a public webhook URL for media streams.
Instruction Scope
SKILL.md and code limit runtime actions to initiating calls, managing WebSocket media streams, verifying webhooks, generating DTMF tones, persisting call logs, and invoking call-completion callbacks. The instructions do not direct the agent to read unrelated secrets or system files beyond normal config paths (user home for logs). Webhook self-tests perform POSTs to the configured public webhook URL (expected behavior for reachability checks).
Install Mechanism
Install spec is an npm package (@xonder/supercall) — a standard, expected mechanism for a Node-based OpenClaw plugin. This is moderate risk compared to an instruction-only skill (because code is installed on disk), but appropriate and proportional for the functionality. There are no downloads from arbitrary URLs or extract-from-URL steps.
Credentials
Requested env vars (OPENAI_API_KEY as primary, TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN) are directly required for the stated functionality. NGROK_AUTHTOKEN is optional per SKILL.md. The skill uses process.env.HOME for log storage (normal). No unrelated credentials or broad secrets are requested.
Persistence & Privilege
The plugin does not request always:true and registers as a normal user-invocable plugin. It persists its own call logs under a path in the user's home and requires a hooks token in OpenClaw config for callbacks — these are normal installation/runtime behaviors and limited in scope.
Assessment
This plugin appears to do what it says — make AI-driven phone calls via Twilio using the OpenAI Realtime API. Before installing, consider: (1) This will require your OpenAI API key and Twilio credentials; rotate and scope keys where possible and monitor billing (real calls cost money). (2) Configure and protect the global hooks.token (the plugin will POST internal callbacks to your configured webhook URL). Treat that token as a secret. (3) The plugin performs webhook self-tests (POST and WebSocket checks) to the configured public URL — ensure that URL points to your infrastructure or trusted tunnel, not an attacker-controlled endpoint. (4) The npm install writes code to disk (normal for a plugin) — only install from sources you trust; verify the package publisher and repository if you need stronger assurance. (5) Set conservative limits (maxConcurrentCalls, maxDurationSeconds) and monitor transcripts/behavior — the AI can act autonomously during calls. If you'd like a narrower risk profile, consider using the provided mock provider for testing and validating configuration before enabling real calls.

Like a lobster shell, security has layers — review code before you run it.

DTMFvk97c2kp03p8s2ycjrkjcv1ek8d818x8cIVRvk97c2kp03p8s2ycjrkjcv1ek8d818x8cappointmentvk9798s7sfytvtwsceesgjvp4ys80p6taappointmentsvk9776pvqj6sme9bkedff7hp8f5814zabcallvk9776pvqj6sme9bkedff7hp8f5814zabcallsvk9798s7sfytvtwsceesgjvp4ys80p6tacommunicationvk9776pvqj6sme9bkedff7hp8f5814zabconfirmationvk9776pvqj6sme9bkedff7hp8f5814zabguestsvk9776pvqj6sme9bkedff7hp8f5814zablatestvk97c2kp03p8s2ycjrkjcv1ek8d818x8cphonevk9776pvqj6sme9bkedff7hp8f5814zabschedulingvk9776pvqj6sme9bkedff7hp8f5814zabstablevk9798s7sfytvtwsceesgjvp4ys80p6tatelecomvk9776pvqj6sme9bkedff7hp8f5814zabvoicevk9776pvqj6sme9bkedff7hp8f5814zabvoice callvk9776pvqj6sme9bkedff7hp8f5814zab

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

📞 Clawdis
Any binngrok, tailscale
EnvOPENAI_API_KEY, TWILIO_ACCOUNT_SID, TWILIO_AUTH_TOKEN
Primary envOPENAI_API_KEY

Install

Install supercall plugin (npm)npm i -g @xonder/supercall

Comments