Skip to main content

supercall

Enables AI-driven phone calls with custom personas using OpenAI and Twilio for seamless communication and automated navigation.

Install this skill

or
0/100

Security score

The supercall skill was audited on Feb 18, 2026 and we found 20 security issues across 3 threat categories, including 8 high-severity. Review the findings below before installing.

Categories Tested

Security Issues

medium line 176

Node child_process module reference

SourceSKILL.md
176When `tunnel.provider` is set to `ngrok`, the plugin spawns the `ngrok` CLI binary via `child_process.spawn`. When set to `tailscale-serve` or `tailscale-funnel`, it spawns the `tailscale` CLI instead
medium line 154

Webhook reference - potential data exfiltration

SourceSKILL.md
154| `tunnel.provider` | Tunnel for webhooks (ngrok/tailscale-serve/tailscale-funnel) | none |
medium line 163

Webhook reference - potential data exfiltration

SourceSKILL.md
163- ngrok or Tailscale for webhook tunneling (production)
medium line 180

Webhook reference - potential data exfiltration

SourceSKILL.md
180- **Local webhook server**: The plugin opens an HTTP server (default `0.0.0.0:3335`) to receive Twilio webhook callbacks and WebSocket media streams.
medium line 181

Webhook reference - potential data exfiltration

SourceSKILL.md
181- **Startup self-test**: On startup, the plugin sends an HTTP POST to its own public webhook URL with an `x-supercall-self-test` header to verify connectivity. If `publicUrl` is misconfigured to point
medium line 184

Webhook reference - potential data exfiltration

SourceSKILL.md
184### Webhook verification
high line 13

Ngrok tunnel reference

SourceSKILL.md
13"anyBins": ["ngrok", "tailscale"]
high line 56

Ngrok tunnel reference

SourceSKILL.md
56| `NGROK_AUTHTOKEN` | [ngrok](https://dashboard.ngrok.com) | ngrok tunnel auth (only needed if using ngrok as tunnel provider) |
medium line 98

Ngrok tunnel reference

SourceSKILL.md
98"provider": "ngrok",
medium line 99

Ngrok tunnel reference

SourceSKILL.md
99"ngrokDomain": "your-domain.ngrok.app"
high line 154

Ngrok tunnel reference

SourceSKILL.md
154| `tunnel.provider` | Tunnel for webhooks (ngrok/tailscale-serve/tailscale-funnel) | none |
high line 155

Ngrok tunnel reference

SourceSKILL.md
155| `tunnel.ngrokDomain` | Fixed ngrok domain (recommended for production) | - |
high line 156

Ngrok tunnel reference

SourceSKILL.md
156| `tunnel.ngrokAuthToken` | ngrok auth token | NGROK_AUTHTOKEN env |
high line 163

Ngrok tunnel reference

SourceSKILL.md
163- ngrok or Tailscale for webhook tunneling (production)
high line 176

Ngrok tunnel reference

SourceSKILL.md
176When `tunnel.provider` is set to `ngrok`, the plugin spawns the `ngrok` CLI binary via `child_process.spawn`. When set to `tailscale-serve` or `tailscale-funnel`, it spawns the `tailscale` CLI instead
high line 188

Ngrok tunnel reference

SourceSKILL.md
188- **ngrok free-tier relaxation**: On free-tier ngrok domains (`.ngrok-free.app`, `.ngrok.io`), URL reconstruction may vary due to ngrok's request rewriting; Twilio signature mismatches are logged but
low line 48

External URL reference

SourceSKILL.md
48| `OPENAI_API_KEY` | [OpenAI](https://platform.openai.com/api-keys) | Powers the realtime voice AI (GPT-4o) |
low line 49

External URL reference

SourceSKILL.md
49| `TWILIO_ACCOUNT_SID` | [Twilio Console](https://console.twilio.com) | Twilio account identifier |
low line 50

External URL reference

SourceSKILL.md
50| `TWILIO_AUTH_TOKEN` | [Twilio Console](https://console.twilio.com) | Twilio API authentication |
low line 56

External URL reference

SourceSKILL.md
56| `NGROK_AUTHTOKEN` | [ngrok](https://dashboard.ngrok.com) | ngrok tunnel auth (only needed if using ngrok as tunnel provider) |
Scanned on Feb 18, 2026
View Security Dashboard
Installation guide →
GitHub Stars 2.2K
Rate this skill
Categorysales
UpdatedApril 4, 2026
openclawcustomer-success-managersales-engineerbusiness-developmentsupport-agentsdrtwilioopenaisalessupport
openclaw/skills