Video Call AI Character
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The installed npm package will run local server code that was not included in the static scan artifacts.
The runtime is installed from an external npm package rather than provided as reviewed source files in this artifact set.
node | package: openclaw-video-call | creates binaries: openclaw-video-call
Install only if you trust the npm package and repository; consider reviewing the package source and pinning/monitoring the installed version.
The runtime can use the user's Runway account and may consume API credits or create/delete avatar resources as part of the intended workflow.
The skill requires a Runway API secret so the local runtime can act against the user's Runway account.
Required env vars: RUNWAYML_API_SECRET
Use a dedicated, revocable Runway API key if possible, monitor usage, and remove the key when you no longer use the skill.
Personal details, voice/video content, and call transcripts may be processed by Runway and later used by the agent for follow-up actions.
The intended workflow sends sensitive call media and persona/context text to Runway, and then reuses the transcript as agent context.
Only data you explicitly pass (avatar image, personality text, call audio/video) is sent to Runway ... the full transcript is available for the agent to act on.
Avoid including sensitive personal or business information unless necessary, and review Runway's retention/privacy settings before use.
The call server may continue listening after setup, allowing later agent-initiated calls until the user stops it.
The skill intentionally uses a long-running local server so calls can be initiated later.
The server stays running in the background, waiting for the agent to initiate calls.
Run the server only when needed, stop it after use, and be deliberate about when the agent is allowed to initiate calls.
If enabled, the call server becomes reachable through a shareable tunnel URL, so access depends on how that URL is handled.
The optional cloudflared tunnel can expose the local call interface beyond localhost for remote-device use.
Tunnel: https://xxxx.trycloudflare.com — shareable, works from phone
Use the tunnel only when needed, do not share the URL broadly, and prefer localhost-only calls when possible.