ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

AnveVoice

v1.0.3

Add AI voice assistants to your website. Engage visitors with natural voice conversations, capture leads, automate support, and boost conversions.

2· 587·0 current·0 all-time
by@anveai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
medium confidence
Purpose & Capability
The name/description (voice assistants for websites) align with the documented capabilities (embed widget, bot management, analytics, recordings). Declared MCP tools and endpoints (anvevoice.com, a Supabase functions domain) are consistent with a SaaS voice platform. One discrepancy: the registry summary at the top of the package claims no required env vars, whereas the SKILL.md metadata and SECURITY.md require ANVEVOICE_API_KEY (primaryEnv).
Instruction Scope
SKILL.md instructs the agent to set ANVEVOICE_API_KEY and to call platform tools (create_bot, add_knowledge, get_embed_code, analytics). It also documents embedding an external script which asks for microphone permission and sends voice recordings/transcripts and page metadata to AnveVoice servers. That behavior is expected for this product, but it explicitly transmits potentially sensitive visitor data to external endpoints — the SKILL.md and SECURITY.md advise consent and legal protections, which is appropriate.
Install Mechanism
This is an instruction-only skill with no install specification and no code files included in the package, so nothing is downloaded or written by the skill itself. The README shows an example install command referencing a GitHub repo, but there is no install script in the skill bundle.
Credentials
The skill asks for a single API credential (ANVEVOICE_API_KEY) which is proportionate to a SaaS control panel. However, there's an inconsistency between the registry metadata (which listed no required env vars) and the SKILL.md/SECURITY.md (which require the API key). No unrelated credentials or system paths are requested.
Persistence & Privilege
The skill does not request always:true and it does not declare any system-level persistence or modification of other skills. Autonomous invocation is allowed (platform default) and appropriate for a tool that manages bots and analytics.
Assessment
This skill appears to be what it says — a SaaS voice widget — but review and confirm a few things before installing: - Verify the API key: create a key with the minimum scopes needed (avoid a single 'full_access' key). Use separate dev/staging/prod keys and rotate/revoke as needed. - Confirm the vendor: the package metadata is missing a homepage in the registry but the SKILL.md/README point to https://anvevoice.com — visit that site, confirm contact/support channels, and validate the developer identity before trusting keys. - Privacy & consent: embedding the widget will request microphone access and send voice recordings, transcripts, and page metadata to AnveVoice servers. Ensure you disclose this in your privacy policy and obtain user consent. If you handle regulated data (PHI), get a BAA before sending any protected information. - Endpoint verification: SECURITY.md lists a Supabase project and specific function endpoints. Treat these as the service endpoints; if you require on-prem or self-hosted options, confirm with the vendor. - Test with non-sensitive data first: deploy in a staging environment, validate retention/auto-delete settings, and monitor usage in the dashboard for unexpected activity. - Metadata inconsistency: the registry metadata omitted the required env var while SKILL.md requires ANVEVOICE_API_KEY. This is likely a packaging oversight but verify the key requirement before use. If you are comfortable after these checks, using the skill is coherent with its stated purpose. If any of the verification steps fail (vendor unreachable, unclear privacy guarantees, or you cannot limit key scope), treat installation as risky.

Like a lobster shell, security has layers — review code before you run it.

accessibilityvk974vx6rn1vrywh8212srqrd5x81mfvcadd voice to websitevk97bx23ds5q0j57shbqrq16hg581mb29chatbot-alternativevk974vx6rn1vrywh8212srqrd5x81mfvcconversational-aivk974vx6rn1vrywh8212srqrd5x81mfvccustomer-supportvk974vx6rn1vrywh8212srqrd5x81mfvcecommercevk974vx6rn1vrywh8212srqrd5x81mfvceducationvk974vx6rn1vrywh8212srqrd5x81mfvchealthcarevk974vx6rn1vrywh8212srqrd5x81mfvchindi voice botvk97bx23ds5q0j57shbqrq16hg581mb29indian languages voicevk97bx23ds5q0j57shbqrq16hg581mb29latestvk97bx23ds5q0j57shbqrq16hg581mb29lead-generationvk974vx6rn1vrywh8212srqrd5x81mfvcmultilingualvk974vx6rn1vrywh8212srqrd5x81mfvcmultilingual voicevk97bx23ds5q0j57shbqrq16hg581mb29saasvk974vx6rn1vrywh8212srqrd5x81mfvcspeech-enabled websitevk97bx23ds5q0j57shbqrq16hg581mb29talk to visitorsvk97bx23ds5q0j57shbqrq16hg581mb29talking assistantvk97bx23ds5q0j57shbqrq16hg581mb29voice AIvk97bx23ds5q0j57shbqrq16hg581mb29voice assistantvk97bx23ds5q0j57shbqrq16hg581mb29voice chatbotvk97bx23ds5q0j57shbqrq16hg581mb29voice customer supportvk97bx23ds5q0j57shbqrq16hg581mb29voice interfacevk97bx23ds5q0j57shbqrq16hg581mb29voice lead generationvk97bx23ds5q0j57shbqrq16hg581mb29voice supportvk97bx23ds5q0j57shbqrq16hg581mb29voice widgetvk97bx23ds5q0j57shbqrq16hg581mb29voice-aivk974vx6rn1vrywh8212srqrd5x81mfvcwebsite voice botvk97bx23ds5q0j57shbqrq16hg581mb29website-engagementvk974vx6rn1vrywh8212srqrd5x81mfvc

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments