The most complete voice and phone calling skill for OpenClaw. Handles inbound and outbound phone calls over Twilio with OpenAI Realtime speech. Inbound outbo...
Security Analysis
medium confidenceThe package is internally consistent with its stated purpose (a Twilio + OpenAI phone assistant); required env vars, binaries, and install steps match what a phone bridge needs, but it requires building/running third‑party Node code and sensitive API keys so you should review install scripts and runtime code before deploying.
The name/description match the requested pieces: Twilio credentials, OpenAI key, PUBLIC_BASE_URL and a webhook secret are expected for a realtime phone bridge. The declared binaries (node, ical-query, bash) and included subsystems (local SQLite CRM, calendar using ical-query) are coherent with the skill's features.
SKILL.md and AGENT.md limit runtime actions to phone/call flows, calendar lookups, CRM, and gateway calls. There are explicit guardrails (e.g., ical-query argument validation, SUMMARY_JSON handling, confirmation enforcement) which indicate awareness of injection/exfiltration risks. However these guarantees are declarative — you should audit the runtime code paths that implement these rules (runtime/src/*, handlers) to verify enforcement (for example: that SUMMARY_JSON is never sent externally and that exec calls actually sanitize arguments).
Install specifies running npm install && npm run build in the runtime directory. That's expected for a Node runtime but is moderate-risk: npm lifecycle scripts and native builds (e.g., better-sqlite3) can execute arbitrary code on install and may require developer toolchains. There is no suspicious external download URL; packages will come from the npm ecosystem. Review runtime/package.json and any postinstall scripts before running.
Required env vars (TWILIO_ACCOUNT_SID/AUTH_TOKEN/CALLER_ID, OPENAI_API_KEY, OPENAI_PROJECT_ID, OPENAI_WEBHOOK_SECRET, PUBLIC_BASE_URL) are proportionate to a Twilio + OpenAI realtime voice bridge. The manifest lists additional optional gateway tokens (OPENCLAW_GATEWAY_TOKEN, BRIDGE_API_TOKEN) which, if set, enable cross-service actions — that's expected but optional. Use dedicated, scoped credentials where possible.
always:false (not force-included). The project includes helper scripts for a dist-watcher and example LaunchAgent entries (auto-restart), but these are opt-in in docs; they are not forced by the registry metadata. No evidence the skill attempts to modify other skills' configs or claim elevated platform privileges.
Guidance
This package appears to be what it claims: a Twilio + OpenAI realtime phone assistant. Before installing, do the following: 1) Inspect runtime/package.json for any postinstall or lifecycle scripts that run during npm install; consider running in an isolated VM or container. 2) Audit critical runtime code paths (runtime/src/index.ts, runtime/src/providers/twilio.ts, runtime/src/skills/*, and any gateway-send code) to confirm the declared guardrails (SUMMARY_JSON local-only, ical-query arg validation, confirmation enforcement) are actually enforced in code. 3) Use dedicated API keys with minimal scope and billing limits (separate Twilio/OpenAI keys), and do not set optional gateway tokens unless you trust the OpenClaw gateway endpoint. 4) Be aware native modules (better-sqlite3) may require developer toolchains and elevated build actions. 5) If you plan to enable the optional auto‑restart/LaunchAgent instructions, review those files carefully — they add persistence on your machine. If you want higher assurance, run the service in an isolated host and limit network access for components that don't need it.
Latest Release
v5.5.5
v5.5.5: kick stuck VT scan with fresh file hash; minor description tweak
More by @batthis
Published by @batthis on ClawHub
