中文 EN

Scan Report

Scan New Files

Trusted — Risk Score 5/100
Last scan:1 day ago Rescan
5 /100
ClawVoice
Voice calling plugin for OpenClaw — gives AI agents phone call capabilities via Twilio/Telnyx and AI voice via Deepgram/ElevenLabs
ClawVoice is a legitimate voice calling plugin with no security issues. All flagged base64 usages are standard audio encoding for WebRTC/voice APIs, and shell execution is documented Tailscale tunnel integration.
Skill NameClawVoice
Duration63.8s
Enginepi
Safe to install
This skill is safe to use. No action required.
ResourceDeclaredInferredStatusEvidence
Network READ READ ✓ Aligned External API calls to Twilio/Telnyx/Deepgram/ElevenLabs documented in SKILL.md
Filesystem NONE READ ✓ Aligned Config/state file access for workspace configuration - aligned with plugin frame…
Shell WRITE WRITE ✓ Aligned Tailscale CLI for tunnel setup - documented in SKILL.md Phase 3
5 Critical 34 findings
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(media.payload, "base64"
dist/media/stream-server.js:129
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(audioBase64, "base64"
dist/transport/elevenlabs-bridge.js:186
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(message.media.payload, "base64"
dist/transport/media-session-handler.js:300
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(payload, "base64"
dist/voice/bridge.js:293
🔒
Critical Encoded Execution Base64 编码执行(代码混淆)
Buffer.from(publicKey, "base64"
dist/webhooks/verify.js:33
🔗
Medium External URL 外部 URL
https://clawvoice.io
README.md:7
🔗
Medium External URL 外部 URL
https://docs.openclaw.ai/plugins/voice-call
README.md:11
🔗
Medium External URL 外部 URL
https://docs.openclaw.ai/nodes/talk
README.md:38
🔗
Medium External URL 外部 URL
https://openclaw.dev
README.md:72
🔗
Medium External URL 外部 URL
https://twilio.com
README.md:73
🔗
Medium External URL 外部 URL
https://telnyx.com
README.md:73
🔗
Medium External URL 外部 URL
https://deepgram.com
README.md:74
🔗
Medium External URL 外部 URL
https://elevenlabs.io
README.md:75
🔗
Medium External URL 外部 URL
https://www.npmjs.com/package/clawvoice
README.md:95
🔗
Medium External URL 外部 URL
http://127.0.0.1:3101/media-stream
README.md:125
🔗
Medium External URL 外部 URL
https://elevenlabs.io/app/conversational-ai
README.md:157
🔗
Medium External URL 外部 URL
https://console.twilio.com
README.md:202
🔗
Medium External URL 外部 URL
https://YOUR-TUNNEL-URL/clawvoice/webhooks/twilio/voice
README.md:206
🔗
Medium External URL 外部 URL
https://YOUR-TUNNEL-URL/clawvoice/webhooks/twilio/sms
README.md:210
🔗
Medium External URL 外部 URL
https://portal.telnyx.com
README.md:215
🔗
Medium External URL 外部 URL
https://YOUR-TUNNEL-URL/clawvoice/webhooks/telnyx
README.md:216
🔗
Medium External URL 外部 URL
https://www.twilio.com/docs/messaging/guides/10dlc
README.md:219
🔗
Medium External URL 外部 URL
https://console.twilio.com/us1/develop/sms/services
README.md:219
🔗
Medium External URL 外部 URL
https://login.tailscale.com/admin/dns
README.md:442
🔗
Medium External URL 外部 URL
https://elevenlabs.io/app/agents
SKILL.md:131
🔗
Medium External URL 外部 URL
https://console.deepgram.com
SKILL.md:194
🔗
Medium External URL 外部 URL
https://elevenlabs.io/app/conversational-ai\n
dist/cli.js:197
🔗
Medium External URL 外部 URL
https://api.twilio.com/2010-04-01/Accounts/$
dist/cli.js:244
🔗
Medium External URL 外部 URL
https://console.twilio.com/us1/develop/sms/services\n
dist/cli.js:292
🔗
Medium External URL 外部 URL
https://api.telegram.org/bot$
dist/index.js:545
🔗
Medium External URL 外部 URL
https://api.telnyx.com/v2/calls
dist/telephony/telnyx.js:21
🔗
Medium External URL 外部 URL
https://api.telnyx.com/v2/messages
dist/telephony/telnyx.js:53
🔗
Medium External URL 外部 URL
https://api.telnyx.com/v2/calls/$
dist/telephony/telnyx.js:85
🔗
Medium External URL 外部 URL
https://login.tailscale.com/f/$
dist/tunnel/tailscale.js:112

File Tree

69 files · 391.4 KB · 9416 lines
JavaScript 32f · 7286L TypeScript 31f · 1089L Markdown 2f · 706L JSON 4f · 335L
├─ 📁 dist
│ ├─ 📁 diagnostics
│ │ ├─ 📜 health.d.ts TypeScript 25L · 1.0 KB
│ │ └─ 📜 health.js JavaScript 321L · 11.3 KB
│ ├─ 📁 inbound
│ │ ├─ 📜 classifier.d.ts TypeScript 5L · 531 B
│ │ ├─ 📜 classifier.js JavaScript 72L · 2.2 KB
│ │ ├─ 📜 types.d.ts TypeScript 30L · 966 B
│ │ └─ 📜 types.js JavaScript 2L · 77 B
│ ├─ 📁 media
│ │ ├─ 📜 stream-server.d.ts TypeScript 22L · 755 B
│ │ └─ 📜 stream-server.js JavaScript 235L · 7.9 KB
│ ├─ 📁 prompts
│ │ ├─ 📜 personalities.d.ts TypeScript 28L · 961 B
│ │ └─ 📜 personalities.js JavaScript 345L · 14.4 KB
│ ├─ 📁 services
│ │ ├─ 📜 clawvoice.d.ts TypeScript 141L · 4.9 KB
│ │ ├─ 📜 clawvoice.js JavaScript 670L · 27.9 KB
│ │ ├─ 📜 memory-extraction.d.ts TypeScript 42L · 1.6 KB
│ │ ├─ 📜 memory-extraction.js JavaScript 117L · 4.2 KB
│ │ ├─ 📜 post-call.d.ts TypeScript 88L · 2.9 KB
│ │ ├─ 📜 post-call.js JavaScript 302L · 13.8 KB
│ │ ├─ 📜 relay.d.ts TypeScript 9L · 265 B
│ │ ├─ 📜 relay.js JavaScript 19L · 485 B
│ │ ├─ 📜 user-profile.d.ts TypeScript 10L · 450 B
│ │ └─ 📜 user-profile.js JavaScript 98L · 4.1 KB
│ ├─ 📁 telephony
│ │ ├─ 📜 telnyx.d.ts TypeScript 13L · 615 B
│ │ ├─ 📜 telnyx.js JavaScript 95L · 3.8 KB
│ │ ├─ 📜 twilio.d.ts TypeScript 13L · 615 B
│ │ ├─ 📜 twilio.js JavaScript 126L · 6.4 KB
│ │ ├─ 📜 types.d.ts TypeScript 29L · 891 B
│ │ ├─ 📜 types.js JavaScript 2L · 77 B
│ │ ├─ 📜 util.d.ts TypeScript 2L · 133 B
│ │ └─ 📜 util.js JavaScript 25L · 898 B
│ ├─ 📁 transport
│ │ ├─ 📜 audio-convert.d.ts TypeScript 40L · 1.7 KB
│ │ ├─ 📜 audio-convert.js JavaScript 161L · 6.0 KB
│ │ ├─ 📜 deepgram-bridge.d.ts TypeScript 35L · 1.3 KB
│ │ ├─ 📜 deepgram-bridge.js JavaScript 129L · 4.7 KB
│ │ ├─ 📜 elevenlabs-bridge.d.ts TypeScript 20L · 826 B
│ │ ├─ 📜 elevenlabs-bridge.js JavaScript 220L · 9.3 KB
│ │ ├─ 📜 media-session-handler.d.ts TypeScript 49L · 2.1 KB
│ │ ├─ 📜 media-session-handler.js JavaScript 306L · 13.5 KB
│ │ ├─ 📜 media-stream-server.d.ts TypeScript 43L · 1.5 KB
│ │ ├─ 📜 media-stream-server.js JavaScript 246L · 9.3 KB
│ │ ├─ 📜 voice-provider-bridge.d.ts TypeScript 17L · 671 B
│ │ └─ 📜 voice-provider-bridge.js JavaScript 2L · 77 B
│ ├─ 📁 tunnel
│ │ ├─ 📜 tailscale.d.ts TypeScript 34L · 1.0 KB
│ │ └─ 📜 tailscale.js JavaScript 126L · 4.3 KB
│ ├─ 📁 voice
│ │ ├─ 📜 bridge.d.ts TypeScript 49L · 2.7 KB
│ │ ├─ 📜 bridge.js JavaScript 445L · 16.0 KB
│ │ ├─ 📜 types.d.ts TypeScript 172L · 4.4 KB
│ │ └─ 📜 types.js JavaScript 42L · 1.6 KB
│ ├─ 📁 webhooks
│ │ ├─ 📜 verify.d.ts TypeScript 30L · 1.3 KB
│ │ └─ 📜 verify.js JavaScript 95L · 3.5 KB
│ ├─ 📜 cli.d.ts TypeScript 11L · 754 B
│ ├─ 📜 cli.js JavaScript 1099L · 53.1 KB
│ ├─ 📜 config.d.ts TypeScript 57L · 2.0 KB
│ ├─ 📜 config.js JavaScript 265L · 16.4 KB
│ ├─ 📜 errors.d.ts TypeScript 5L · 220 B
│ ├─ 📜 errors.js JavaScript 21L · 638 B
│ ├─ 📜 hooks.d.ts TypeScript 16L · 651 B
│ ├─ 📜 hooks.js JavaScript 113L · 3.7 KB
│ ├─ 📜 index.d.ts TypeScript 10L · 403 B
│ ├─ 📜 index.js JavaScript 669L · 29.1 KB
│ ├─ 📜 routes.d.ts TypeScript 39L · 1.9 KB
│ ├─ 📜 routes.js JavaScript 350L · 15.9 KB
│ ├─ 📜 tools.d.ts TypeScript 5L · 381 B
│ └─ 📜 tools.js JavaScript 522L · 24.0 KB
├─ 📜 openclaw-extension.mjs JavaScript 46L · 1.0 KB
├─ 📋 openclaw.plugin.json JSON 157L · 4.3 KB
├─ 📋 package-lock.json JSON 113L · 3.5 KB
├─ 📋 package.json JSON 49L · 1.1 KB
├─ 📝 README.md Markdown 502L · 22.5 KB
├─ 📝 SKILL.md Markdown 204L · 9.6 KB
└─ 📋 tsconfig.json JSON 16L · 372 B

Dependencies 2 items

PackageVersionSourceKnown VulnsNotes
ws ^8.19.0 npm No WebSocket library - standard for voice streaming
@clack/prompts ^1.1.0 npm No Interactive CLI prompts - used for setup wizard

Security Positives

✓ Comprehensive SKILL.md documents all functionality including guided setup flows
✓ Built-in tool restrictions: restrictTools defaults to true with deniedTools including exec, browser, web_fetch, gateway, cron, sessions_spawn
✓ All external URLs are to legitimate telephony/voice providers (Twilio, Telnyx, Deepgram, ElevenLabs)
✓ No data exfiltration or credential theft patterns detected
✓ Dependencies (ws, @clack/prompts) are well-known, reputable packages
✓ Webhooks include proper Ed25519 signature verification for Telnyx
✓ AI disclosure statement feature ensures call transparency