Dynamic code execution
Critical
- Finding
- Dynamic code execution detected.
xeon_asr
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The listing claims to be an ASR transcription skill, but the supplied files are a TTS and voice-cloning skill that installs persistent local services and changes OpenClaw settings.
Treat this as a TTS/voice-cloning package, not an ASR transcription skill. Do not install it under the xeon_asr listing unless you intentionally want xeontts, are comfortable with external package/model downloads, persistent localhost services, OpenClaw config changes, and local storage of voice samples. Review the install scripts first and test in an isolated environment.
Static analysis
Install untrusted source
Warn
- Finding
- Install source points to URL shortener or raw IP.
Install untrusted source
Warn
- Finding
- Install source points to URL shortener or raw IP.
Potential exfiltration
Warn
- Finding
- Sensitive-looking file read is paired with a network send.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A user expecting speech-to-text could instead install a voice-generation and voice-cloning service.
Why it was flagged
The registry-facing description presents an ASR/transcription skill, but the supplied package content describes and implements Xeon TTS voice synthesis and voice cloning.
Skill content
Name: xeon_asr; Description: Automatically converts received voice messages to text via an external ASR service
Recommendation
Do not install this listing until the publisher aligns the name, slug, description, and package contents or republishes it under the correct TTS identity.
What this means
An agent could follow instructions for a different capability than the user intended, causing task routing and installation confusion.
Why it was flagged
The evaluated skill is presented as xeon_asr, but its instructions tell an agent to install xeontts and to avoid ASR/STT requests.
Skill content
clawhub install xeontts ... 以下场景禁止走 xeontts:识别语音 / 语音转文字 / STT / ASR
Recommendation
Require the publisher to remove cross-skill install redirection and make the invocation rules match the advertised skill.
What this means
Installing the skill depends on external package/model sources that can change over time or be compromised.
Why it was flagged
The setup script downloads and executes an external installer, installs an unpinned/upgraded PyPI package, and downloads model artifacts without visible revision pinning or checksums.
Skill content
wget --timeout=120 -q "$conda_url" -O /tmp/miniconda.sh ... bash /tmp/miniconda.sh ... pip install -q --upgrade "$TTS_PIP_SPEC" ... "$hf_cli" download "$repo_id"
Recommendation
Use pinned package versions, model revisions, checksums/signatures, and declare these install requirements in metadata before users run the installer.
Medium
What this means
The TTS services may keep running after installation and restart automatically unless the user disables the systemd units.
Why it was flagged
The installer creates persistent user-level services that auto-restart and are enabled immediately.
Skill content
Restart=always ... systemctl --user enable --now "$TTS_UNIT_NAME" ... systemctl --user enable --now "$NODE_UNIT_NAME"
Recommendation
Install only if persistent background TTS services are desired; provide and document a systemctl-based stop/disable/uninstall path.
What this means
Starting this skill could interrupt unrelated Node services or other OpenClaw activity on the same machine.
Why it was flagged
The start script uses a broad process-kill pattern and restarts the OpenClaw gateway, which is not scoped only to this skill's exact process.
Skill content
pkill -f "node.*server.js" 2>/dev/null || true ... openclaw gateway restart
Recommendation
Scope process management to this skill's PID file, working directory, or systemd unit, and ask for explicit approval before restarting shared services.
What this means
The install may make system-level package changes beyond what a user would expect from the ASR listing.
Why it was flagged
The setup path can use sudo/root package installation even though the registry requirements declare no required binaries or install spec.
Skill content
$SUDO apt-get install -y wget curl git lsof net-tools unzip bzip2 ca-certificates ffmpeg
Recommendation
Declare privileged setup requirements clearly and let the user opt in before running OS package-manager commands.
What this means
Short voice samples, generated audio paths, and session identifiers may remain on disk during the configured retention period.
Why it was flagged
The workflow stores uploaded reference audio and session state locally for later voice-cloning steps.
Skill content
fs.copyFileSync(sourcePath, targetPath); ... session.referenceAudioPath = targetPath; session.referenceDurationSec = durationSec;
Recommendation
Use only with consent for voice cloning, review the references/runtime/output directories, and confirm retention and cleanup behavior.
What this means
This is unlikely to affect normal users as shown, but it would be unsafe if untrusted expressions were ever passed to the helper.
Why it was flagged
The self-check dynamically evaluates JavaScript expressions. The shown calls pass fixed local assertions, but dynamic evaluation is still a fragile pattern.
Skill content
const fn = new Function("cfg", `return (${process.argv[2]});`);Recommendation
Replace dynamic expression evaluation with explicit JSON property checks.