The Agent Skills Directory

[CREDENTIALS_UNSAFE] (HIGH): The skill prompts the user to input and store highly sensitive credentials, including Twilio Account SID, Twilio Auth Token, and Deepgram API Keys, into a plain-text .env file.
[DATA_EXFILTRATION] (HIGH): The setup process includes commands to programmatically extract an authentication token from a local configuration file (~/.openclaw/openclaw.json) using grep.
[EXTERNAL_DOWNLOADS] (MEDIUM): The skill downloads code from https://github.com/deepgram/deepclaw.git. While Deepgram is a known entity, this organization is not on the predefined list of trusted sources, making the repository's contents unverifiable.
[REMOTE_CODE_EXECUTION] (HIGH): The skill clones an external repository and immediately executes its dependencies and logic (pip install -r requirements.txt followed by python -m deepclaw.voice_agent_server) without any verification of the downloaded code.
[COMMAND_EXECUTION] (MEDIUM): The use of ngrok http 8000 creates a public tunnel to the local machine. This provides a direct network path for external attackers to reach the locally running server and potentially exploit any vulnerabilities in the unverified code.
[INDIRECT_PROMPT_INJECTION] (LOW): The skill facilitates a voice agent that processes untrusted audio input from phone calls. This creates an attack surface where an external caller could provide instructions to the underlying LLM to bypass safety filters or manipulate the agent's behavior.
Ingestion points: Twilio Webhook (POST requests from phone audio) ingested by deepclaw.voice_agent_server.
Boundary markers: None specified in the setup instructions.
Capability inventory: Network access (Twilio/Deepgram APIs), local file reading, and potential subprocess execution through the imported server module.
Sanitization: No evidence of input sanitization or validation of voice-to-text transcripts before processing.

deepclaw-voice