ClawHub
Code Pluginsource linkedVerified

Voice Callv2026.5.28

OpenClaw voice-call plugin for Twilio, Telnyx, and Plivo phone calls.

@openclaw/voice-call·runtime voice-call·by @openclaw
openclaw plugins install clawhub:@openclaw/voice-call
Latest release: v2026.5.28Download zip

Capabilities

Tags
executes-codeartifact:npm-packnpm-mirror:available
configSchema
Yes
Executes code
Yes
HTTP routes
0
Runtime ID
voice-call

Compatibility

Built With Open Claw Version
2026.5.28
Min Gateway Version
>=2026.4.10
Plugin Api Range
>=2026.5.28
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
!
Purpose & Capability
The package coherently implements its stated purpose: Twilio, Telnyx, Plivo, and mock voice calls. The concern is impact, not deception: once configured with a real provider, tool and RPC actions can initiate calls, speak into calls, send DTMF, and end calls.
!
Instruction Scope
The README discloses the call, continue, speak, end, status, and gateway methods, but the artifacts do not show per-action human confirmation, destination allowlists for outbound calls, or narrower write scopes beyond operator.write.
Install Mechanism
The package is an official @openclaw release with source-linked metadata, a normal npm package layout, no install lifecycle script in package.json, clean VirusTotal telemetry, and pinned ordinary dependencies.
Credentials
Provider credentials and webhook exposure are expected for this function. Defaults and mitigations exist, including mock provider fallback, disabled inbound policy by default, webhook signature verification by default, loopback bind by default, SSRF-guarded provider API calls, and maxConcurrentCalls defaulting to 1; configured ngrok or Tailscale exposure can still change network reachability.
!
Persistence & Privilege
The runtime persists call records under a local voice-calls store, including phone numbers, transcripts, metadata, and processed event IDs, and logs some transcript/model text. This is purpose-related but privacy-sensitive and not strongly minimized or retention-scoped in the package artifacts.
Scan Findings in Context
[SQP-2] expected: The telephony actions flagged by SkillSpector match the plugin purpose and are disclosed in README/tool/RPC surfaces, but they are high-impact real-world actions without artifact-visible per-call confirmation.
[SQP-2] expected: The gateway and tool call-control methods are real and purpose-aligned; the Review verdict comes from their broad live-call authority and limited visible scoping, not from hidden behavior.
[SQP-2] expected: Persistent JSONL call records are confirmed in the runtime and support call state/history, but they include sensitive call content and identifiers without artifact-visible retention or encryption controls.
[SQP-2] unexpected: The transcript logging claim is partly supported: streaming transcripts are truncated for logs, but inbound auto-response paths log user messages and AI responses, which can still expose sensitive call content.
[suspicious.dangerous_exec] expected: Static scan found child_process use; inspected code shows it is limited to configured ngrok/Tailscale tunnel setup and cleanup for webhook exposure, not arbitrary command execution.
[suspicious.exposed_secret_literal] unexpected: Static secret findings appear to be false positives around config field names and assignment of user-provided credentials, not hardcoded secrets.
What to consider before installing
Install only if you intend agents/operators to control real phone calls. Use the mock provider for development, restrict who can invoke operator.write or the voice_call tool, prefer explicit approval for outbound calls and DTMF, review provider billing/consent requirements, and protect or regularly delete the local call log store because it can contain phone numbers and transcripts.
dist/runtime-entry-DwBgs2Sq.js:1498
Shell command execution detected (child_process).
dist/config-compat-CokN3Zzr.js:86
File appears to expose a hardcoded API secret or token.
dist/config-U-rgixyY.js:59
File appears to expose a hardcoded API secret or token.
dist/plivo-CVgE_V_c.js:24
File appears to expose a hardcoded API secret or token.
dist/runtime-entry-DwBgs2Sq.js:1827
File appears to expose a hardcoded API secret or token.
dist/twilio-CpBg6Ir5.js:190
File appears to expose a hardcoded API secret or token.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Verification

Tier
source linked
Scope
artifact only
Summary
Validated package structure and linked the release to source metadata.
Source
github.com/openclaw/openclaw
Commit
e93216080aa1
Tag
refs/heads/release/2026.5.28
Provenance
No
Scan status
suspicious

Tags

alpha
2026.5.19-alpha.1
beta
2026.6.1-beta.1
latest
2026.5.28

@openclaw/voice-call

Official Voice Call plugin for OpenClaw.

Providers:

  • Twilio (Programmable Voice + Media Streams)
  • Telnyx (Call Control v2)
  • Plivo (Voice API + XML transfer + GetInput speech)
  • Mock (dev/no network)

Docs: https://docs.openclaw.ai/plugins/voice-call Plugin system: https://docs.openclaw.ai/tools/plugin

Install

openclaw plugins install @openclaw/voice-call

Restart the Gateway afterwards.

Local dev install

PLUGIN_HOME=~/.openclaw/extensions
mkdir -p "$PLUGIN_HOME"
cp -R <local-plugin-checkout> "$PLUGIN_HOME/voice-call"
cd "$PLUGIN_HOME/voice-call" && pnpm install

Config

Put under plugins.entries.voice-call.config:

{
  provider: "twilio", // or "telnyx" | "plivo" | "mock"
  fromNumber: "+15550001234",
  toNumber: "+15550005678",
  sessionScope: "per-phone", // or "per-call"

  twilio: {
    accountSid: "ACxxxxxxxx",
    authToken: "your_token",
  },

  telnyx: {
    apiKey: "KEYxxxx",
    connectionId: "CONNxxxx",
    // Telnyx webhook public key from the Telnyx Mission Control Portal
    // (Base64 string; can also be set via TELNYX_PUBLIC_KEY).
    publicKey: "...",
  },

  plivo: {
    authId: "MAxxxxxxxxxxxxxxxxxxxx",
    authToken: "your_token",
  },

  // Webhook server
  serve: {
    port: 3334,
    path: "/voice/webhook",
  },

  // Public exposure (pick one):
  // publicUrl: "https://example.ngrok.app/voice/webhook",
  // tunnel: { provider: "ngrok" },
  // tailscale: { mode: "funnel", path: "/voice/webhook" }

  outbound: {
    defaultMode: "notify", // or "conversation"
  },

  // Optional response agent workspace. Defaults to "main".
  agentId: "main",

  streaming: {
    enabled: true,
    // optional; if omitted, Voice Call picks the first registered
    // realtime-transcription provider by autoSelectOrder
    provider: "<realtime-transcription-provider-id>",
    streamPath: "/voice/stream",
    providers: {
      "<realtime-transcription-provider-id>": {
        // provider-owned options
      },
    },
    preStartTimeoutMs: 5000,
    maxPendingConnections: 32,
    maxPendingConnectionsPerIp: 4,
    maxConnections: 128,
  },
}

Notes:

  • Twilio/Telnyx/Plivo require a publicly reachable webhook URL.
  • mock is a local dev provider (no network calls).
  • Telnyx requires telnyx.publicKey (or TELNYX_PUBLIC_KEY) unless skipSignatureVerification is true.
  • If older configs still use provider: "log", twilio.from, or legacy streaming.* OpenAI keys, run openclaw doctor --fix to rewrite them.
  • advanced webhook, streaming, and tunnel notes: https://docs.openclaw.ai/plugins/voice-call
  • responseModel is optional. When unset, voice responses use the runtime default model.
  • sessionScope defaults to per-phone, preserving caller memory across calls. Use per-call for reception, booking, IVR, and bridge flows where each carrier call should start fresh.
  • realtime.consultThinkingLevel is optional. When set, it overrides the thinking level used by the model behind realtime openclaw_agent_consult calls.
  • realtime.consultFastMode is optional. When set, it toggles fast mode for realtime openclaw_agent_consult calls.

Stale call reaper

See the plugin docs for recommended ranges and production examples: https://docs.openclaw.ai/plugins/voice-call#stale-call-reaper

TTS for calls

Voice Call uses the core messages.tts configuration for streaming speech on calls. Override examples and provider caveats live here: https://docs.openclaw.ai/plugins/voice-call#tts-for-calls

CLI

openclaw voicecall call --to "+15555550123" --message "Hello from OpenClaw"
openclaw voicecall continue --call-id <id> --message "Any questions?"
openclaw voicecall speak --call-id <id> --message "One moment"
openclaw voicecall end --call-id <id>
openclaw voicecall status --json
openclaw voicecall status --call-id <id>
openclaw voicecall tail
openclaw voicecall expose --mode funnel

Tool

Tool name: voice_call

Actions:

  • initiate_call (message, to?, mode?)
  • continue_call (callId, message)
  • speak_to_user (callId, message)
  • end_call (callId)
  • get_status (callId)

Gateway RPC

  • voicecall.initiate (to?, message, mode?)
  • voicecall.continue (callId, message)
  • voicecall.speak (callId, message)
  • voicecall.end (callId)
  • voicecall.status (callId)

Notes

  • Uses webhook signature verification for Twilio/Telnyx/Plivo.
  • Adds replay protection for Twilio and Plivo webhooks (valid duplicate callbacks are ignored safely).
  • Twilio speech turns include a per-turn token so stale/replayed callbacks cannot complete a newer turn.
  • responseModel / responseSystemPrompt control AI auto-responses.
  • Voice-call auto-responses enforce a spoken JSON contract ({"spoken":"..."}) and filter reasoning/meta output before playback.
  • While a Twilio stream is active, playback does not fall back to TwiML <Say>; stream-TTS failures fail the playback request.
  • Outbound conversation calls suppress barge-in only while the initial greeting is actively speaking, then re-enable normal interruption.
  • Twilio stream disconnect auto-end uses a short grace window so quick reconnects do not end the call.
  • Realtime provider selection is generic. Configure streaming.provider / realtime.provider and put provider-owned options under providers.<id>.
  • Runtime fallback still accepts the old voice-call keys for now, but migration is a doctor step and the compat shim is scheduled to go away in a future release.