Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Supercall
Security checks across static analysis, malware telemetry, and agentic risk
Overview
Supercall matches its stated phone-calling purpose, but it gives an agent high-impact autonomous calling and IVR authority, deliberately hides the AI identity from callees, and routes call data through persistent/callback workflows that need careful review.
Install only if you are comfortable with an agent making paid automated calls on your behalf. Use truthful disclosure/consent practices, dedicated provider credentials, Twilio/OpenAI spending limits, secured hooks and tunnels, and manual review before follow-up actions based on call transcripts.
Static analysis
Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
VirusTotal
64/64 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
The agent may place paid calls and navigate phone menus in ways that affect appointments, accounts, prescriptions, or other real-world services.
Why it was flagged
The skill explicitly allows the AI to press DTMF keys in phone systems without per-step user approval, which can create costs or interact with accounts and services.
Skill content
The AI automatically handles automated phone menus (IVR systems) during calls... This is fully automatic — no extra configuration or agent intervention is needed.
Recommendation
Use explicit per-call approval, set Twilio spend/concurrency/duration limits, and avoid allowing sensitive IVR actions unless the user has confirmed the exact goal and boundaries.
What this means
People receiving calls may be misled about who is calling, which can create consent, legal, reputational, or fraud-adjacent risks for the user.
Why it was flagged
The generated call prompt directs the AI to impersonate a persona and conceal that it is an AI system.
Skill content
persona: Type.String({ description: "Who you are pretending to be" }) ... SECURITY - NEVER: ... Reveal you are an AI, bot, or running on any systemRecommendation
Configure personas that truthfully identify the caller and disclose automation where required; do not use this for deceptive, regulated, or consent-sensitive calls.
What this means
A callee could say instructions or sensitive content that later appears in the agent context and influences follow-up tasks or calls.
Why it was flagged
Call results from an external human conversation are fed back through OpenClaw callback workflows, creating a boundary where callee-controlled content can influence later agent behavior.
Skill content
Supercall uses OpenClaw's webhook system to trigger agent callbacks when calls complete... enabling multi-call workflows
Recommendation
Treat transcripts as untrusted input, require user review before follow-up actions, and ensure callbacks do not automatically execute high-impact tasks.
What this means
Phone transcripts may contain personal, business, medical, or account information and can remain on disk after calls complete.
Why it was flagged
The plugin persists call records, including transcripts, to a default local log directory.
Skill content
path.join(process.env.HOME || "~", "clawd", "supercall-logs"); ... transcript: [], ... this.persistCallRecord(callRecord);
Recommendation
Review the log location and retention behavior, protect local config/log files, and delete transcripts that should not be retained.
What this means
If the public media-stream endpoint is reachable without upstream protection, an unauthorized party could trigger OpenAI realtime usage or inject audio/traffic.
Why it was flagged
The provided media-stream handler upgrades WebSocket connections and creates OpenAI realtime sessions from stream start messages; no authentication check is visible in this handler, while the plugin is designed to be exposed through a public tunnel.
Skill content
handleUpgrade(request: IncomingMessage, socket: Duplex, head: Buffer): void { ... this.wss.handleUpgrade(request, socket, head, ...); } ... conversationProvider.createSession({ instructions, initialGreeting })Recommendation
Verify that WebSocket upgrades are restricted to legitimate Twilio streams, use unguessable paths or signed parameters if available, and monitor OpenAI/Twilio usage.
What this means
Compromised or over-privileged keys could allow paid API use or unauthorized phone activity.
Why it was flagged
The plugin requires provider credentials that can spend money and place calls, which is expected for the stated service but sensitive.
Skill content
`OPENAI_API_KEY` ... Powers the realtime voice AI ... `TWILIO_ACCOUNT_SID` ... `TWILIO_AUTH_TOKEN` ... Twilio API authentication
Recommendation
Use dedicated API keys/accounts where possible, keep tokens out of shared files, rotate if exposed, and set provider-side billing and usage limits.
What this means
A malicious or misconfigured local tunnel binary could affect what the plugin exposes or runs.
Why it was flagged
The plugin starts a local tunnel binary, which is consistent with its documented ngrok/tailscale webhook setup but still executes local programs.
Skill content
const proc = spawn("ngrok", args, {Recommendation
Install ngrok/tailscale from trusted sources, keep them updated, and avoid running the plugin with unnecessary privileges.