Security audit

xeon_asr

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its local TTS purpose, but it exposes unauthenticated network services with filesystem-path access and installs persistent background services.

Review before installing, especially on shared or network-accessible machines. Only proceed if you are comfortable with package installation, model downloads, OpenClaw config edits, user-level autostart services, and local voice-file storage. Bind port 9002 to localhost or firewall it, add authentication, and avoid the direct clone-speak path API until it is restricted to server-managed reference audio IDs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (4)

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The installer invokes a systemd service installation step without any interactive confirmation, dry-run, or clear disclosure of the system-level effects. This can modify persistence and startup behavior on the host unexpectedly, which is risky for a skill installer because users may not realize they are granting long-lived service execution.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The script automatically starts local services immediately after installation unless the user knows to pass --skip-start. Automatically launching services can expose network listeners, background processes, or resource usage without the user's informed consent, especially in an installer context where startup behavior should be explicit.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script creates persistent user-level systemd unit files and immediately enables and starts them without any confirmation, dry-run, or explicit warning to the user. While this appears intended as convenience rather than abuse, silently establishing autostart behavior is security-relevant because it changes the user's persistence model and could keep network-exposed or buggy services running continuously.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The direct TTS endpoints write generated audio and, for clone mode, consume reference audio paths on disk, but these API responses do not provide the same retention/disclosure messaging present in the workflow endpoints. Because voice samples and synthesized speech are biometric/sensitive content, silent persistence increases privacy risk, especially if operators or other local processes can access retained files.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal