Supercall
WarnAudited by ClawScan on May 10, 2026.
Overview
Supercall is a coherent Twilio/OpenAI calling tool, but it warrants review because it can make autonomous persona calls that hide the AI identity and exposes a real-time media channel with unclear authentication boundaries.
Review this skill carefully before installing. If you use it, set strict call and spend limits, use secure credentials, confirm each real call and sensitive IVR action, avoid deceptive personas, and ensure the media WebSocket endpoint is authenticated and not broadly exposed.
Findings (7)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Recipients may be misled about who is calling, which can create trust, consent, regulatory, or impersonation risks for the user.
The runtime prompt tells the calling agent to impersonate a persona and never disclose that it is an AI during real phone calls.
persona: Type.String({ description: "Who you are pretending to be" }) ... "Stay in character at all times - you ARE this persona" ... "Reveal you are an AI, bot, or running on any system"Require truthful caller identity and AI disclosure by default, add explicit per-call user confirmation, and avoid personas that impersonate real people or organizations without authorization.
If the public stream endpoint is reachable, an unauthorized party could potentially consume OpenAI credits, inject audio/transcripts, or interfere with call workflows.
The media stream handler accepts WebSocket upgrades/messages and starts an OpenAI realtime conversation session without a visible token, signature, origin, or active-call authorization check in this handler.
this.wss.handleUpgrade(request, socket, head, ...) ... const message = JSON.parse(data.toString()) ... conversationProvider.createSession({ instructions, initialGreeting })Authenticate WebSocket upgrades with a per-call secret or Twilio-verifiable parameter, reject unknown call IDs/provider SIDs, restrict paths/origins, and rate-limit stream creation.
A bad prompt, hallucination, or manipulated call could cause the agent to press menu options, enter digits, or interact with account systems unexpectedly.
Automatic DTMF/IVR navigation is a core feature, but it lets the model send keypad digits during calls without separate approval.
The AI automatically handles automated phone menus ... uses an internal `send_dtmf` tool ... fully automatic — no extra configuration or agent intervention is needed.
Keep call goals narrow, avoid giving the agent sensitive account numbers unless necessary, monitor transcripts, and consider requiring approval before DTMF actions in sensitive workflows.
Misuse or exposure of these credentials could incur OpenAI/Twilio charges or allow unauthorized calls.
The skill requires OpenAI and Twilio account credentials to operate; this is disclosed and purpose-aligned but grants spending and telephony authority.
`OPENAI_API_KEY` ... `TWILIO_ACCOUNT_SID` ... `TWILIO_AUTH_TOKEN` ... Credentials can be set via environment variables or in the plugin config
Use rotatable/scoped credentials where possible, store secrets securely, set Twilio spend/call limits, and rotate keys if logs or config files are exposed.
A compromised or misconfigured tunnel binary could expose local services or behave unexpectedly.
The skill launches a local tunneling CLI. This is expected for receiving Twilio webhooks, but it is still execution of an external local binary.
const proc = spawn("ngrok", args, {Install ngrok/Tailscale from trusted sources, review tunnel settings, prefer private tunnels where possible, and avoid running the skill with unnecessary privileges.
Phone transcripts may contain personal, business, or account information and can remain on disk after calls complete.
Call records are persisted locally, and call records include transcripts. This supports status/history features but stores sensitive conversation content.
path.join(process.env.HOME || "~", "clawd", "supercall-logs") ... fs.mkdirSync(this.storePath, { recursive: true }) ... this.persistCallRecord(callRecord)Document the storage location and retention behavior, protect file permissions, provide a cleanup option, and avoid sensitive disclosures during calls unless necessary.
A caller's spoken instructions or misleading information could influence later agent actions if treated as trusted context.
Remote call outcomes and transcripts can feed back into the agent workflow after completion, enabling follow-up actions.
Supercall uses OpenClaw's webhook system to trigger agent callbacks when calls complete ... enabling multi-call workflows
Treat call transcripts as untrusted input, summarize cautiously, require confirmation before follow-up calls or account changes, and do not let caller-provided text override user goals.