Scan Report
0 /100
phone-call-agent
AI voice call agent — make outbound calls, generate browser call links, accept inbound calls, and retrieve full transcripts + summaries when calls end.
This is a documentation-only AI skill describing a self-hosted phone call agent with no executable code, scripts, or binaries present.
Safe to install
This skill is safe to use. It contains only documentation (SKILL.md) describing an open-source voice call agent. No security concerns identified.
| Resource | Declared | Inferred | Status | Evidence |
|---|---|---|---|---|
| Filesystem | NONE | NONE | — | No file operations described or implemented |
| Network | NONE | NONE | — | Only user-configured infrastructure URLs in documentation |
| Shell | NONE | NONE | — | No shell commands described |
| Environment | NONE | NONE | — | No environment reading described |
| Skill Invoke | NONE | NONE | — | MCP tools are for call management only |
| Clipboard | NONE | NONE | — | No clipboard access |
| Browser | NONE | NONE | — | WebRTC call handled by user browser |
| Database | NONE | NONE | — | No database operations described |
5 findings
Medium External URL 外部 URL
https://your-app.com/call-webhook SKILL.md:85 Medium External URL 外部 URL
https://your-tunnel.trycloudflare.com SKILL.md:88 Medium External URL 外部 URL
https://abc123.trycloudflare.com/call/web-xxx?token=... SKILL.md:101 Medium External URL 外部 URL
https://abc123.trycloudflare.com SKILL.md:119 Medium External URL 外部 URL
https://your-tunnel.../call/web-xxx?token=... SKILL.md:251 File Tree
1 files · 8.5 KB · 294 lines Markdown 1f · 294L
└─
SKILL.md
Markdown
Security Positives
✓ Documentation-only skill with no executable code
✓ Clear, transparent description of all functionality in SKILL.md
✓ Open-source project (MIT-0 license) with public GitHub repository
✓ Self-hosted architecture - user controls all infrastructure
✓ MCP tools are scoped to call management (create_share_link, get_call_result, make_voice_call)
✓ No hidden functionality or obfuscated code
✓ External URLs are standard infrastructure (LiveKit WebRTC, Cloudflare tunnels) and documented
✓ User provides their own API keys - no credential harvesting occurs