Convoro
← Back to extensions

Calls — Audio & Video

One-to-one and group audio/video calls between members, powered by LiveKit. Adds a Call button to direct messages and member profiles. Calls are only offered when the other person...

One-to-one and group audio/video calls between members, powered by LiveKit. Adds a Call button to direct messages and member profiles. Calls are only offered when the other person is online, and every member can opt out of being called. Point it at LiveKit Cloud or your own self-hosted LiveKit server.

AI security review

Reviewed safe · 94/100
A LiveKit-backed audio/video calling extension that uses standard Laravel routing, auth, CSRF, validation and rate limiting. Tokens are signed server-side and the API secret never reaches the browser; no RCE, SQL injection, SSRF, hardcoded credentials, or exfiltration was found.
  • low · Call answer relies only on invitee list + TTL — In CallsController::answer/decline/end, authorization is checked against invitee_ids/participantIds and a ring TTL. This is reasonable, though room names are random (random_bytes(8)) and tokens are minted server-side per authorized user, so unauthorized join is not feasible. Minor: no explicit re-check that the conversation membership still holds at answer time.
  • low · User-provided caller avatar/name rendered in DM ring overlay — resources/forum.ts builds the ring overlay with caller name/initials passed through escapeHtml(), and the avatar URL is interpolated into an img src. Values originate server-side from Present::avatar(), so risk is limited, but the avatar URL is not validated/escaped for attribute breakout in the frontend.

Automated review of v1.0.4 by claude-opus-4-8 2 days ago. This is an automated signal to aid your judgment — not a guarantee.