v1.0.0

usewhisper-autohook

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 5:40 AM.

Analysis

This skill is not clearly malicious, but it should be reviewed carefully because it can automatically send, store, and later reinject full conversation turns through an external memory service.

GuidanceInstall this only if you are comfortable with Whisper receiving and retaining conversation content for memory. For Telegram or other multi-user agents, require explicit user/session headers, avoid the anon/default fallback, add redaction or opt-out rules for sensitive chats, and use dedicated API keys with monitoring.

Findings (5)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agent Goal Hijack

SeverityMediumConfidenceHighStatusConcern

SKILL.md

Before you think or respond to any message: ... Call get_whisper_context ... After you generate your final response: ... Call ingest_whisper_turn ... Always do this. Never skip.

The suggested system instruction forces automatic tool use before and after every response, with no built-in per-message opt-out or sensitivity check.

User impactThe agent may continue retrieving and storing memory even for a message the user would not want remembered or sent to the memory service.

RecommendationModify the auto-loop instructions to allow explicit opt-out, redaction, and admin/user approval rules for sensitive conversations.

Agentic Supply Chain Vulnerabilities

SeverityLowConfidenceMediumStatusNote

metadata

Required binaries (all must exist): none ... Required env vars: none

The registry metadata under-declares setup requirements that SKILL.md lists, including Node and Whisper environment variables.

User impactInstall-time checks may not warn the user about required runtime dependencies and credentials.

RecommendationUpdate registry metadata to declare the Node requirement and required/optional environment variables consistently.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusNote

SKILL.md

WHISPER_CONTEXT_API_KEY=YOUR_KEY ... export OPENAI_API_KEY="YOUR_UPSTREAM_KEY" ... export ANTHROPIC_API_KEY="YOUR_ANTHROPIC_KEY"

The skill requires a Whisper API key and, when proxy mode is used, upstream model-provider API keys.

User impactThe proxy can spend or use the configured provider accounts, and the memory API key authorizes access to the user’s Whisper project.

RecommendationUse least-privilege or dedicated keys where possible, monitor usage, and keep the proxy accessible only to trusted local clients.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityHighConfidenceHighStatusConcern

SKILL.md

ingest_whisper_turn(user_id, session_id, user_msg, assistant_msg) ... user_msg = the full user message ... assistant_msg = your full final reply

The skill stores full conversation turns in long-term memory and later prepends retrieved memory into future prompts.

User impactSensitive conversation content may be retained by an external memory service and later influence future answers; poisoned or incorrect stored memory could be treated as relevant context.

RecommendationUse only for conversations intended to be stored, add retention/deletion and redaction policies, and treat retrieved memory as untrusted context rather than authoritative instruction.

Insecure Inter-Agent Communication

SeverityMediumConfidenceHighStatusConcern

usewhisper-autohook.mjs

const user_id = headerUserId || inferred.user_id || String(bodyRaw?.user || "anon");
const session_id = headerSessionId || inferred.session_id || "default";

The proxy relies on caller-supplied or inferred identifiers and falls back to shared anon/default IDs when missing.

User impactIf headers are omitted or inference fails, memory from different users or sessions could be stored under the same identity and reinjected into the wrong chat.

RecommendationFail closed unless explicit trusted user/session IDs are provided, and avoid shared defaults for multi-user agents.