ClawHub

xeon_tts

Security checks across malware telemetry and agentic risk

Overview

The skill’s TTS and voice-cloning purpose is coherent, but installation creates persistent background services and exposes a local workflow API without enough user control or warning.

Review before installing. Only use this on a machine where you are comfortable with persistent user services, model/package downloads, OpenClaw config changes, and local retention of voice samples. Bind the workflow gateway to localhost, require consent for any cloned voice, and know how to disable the xeontts systemd services before enabling it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs users to upload and store reference voice samples for voice cloning, but does not clearly disclose that voice data can be sensitive biometric information or explain the privacy/security implications of collecting it. In this context, the risk is elevated because the skill explicitly supports voice cloning and local retention of samples/results for 7 days, which increases the chance of misuse, unauthorized reuse, or privacy harm if users are not properly informed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The installer invokes scripts to configure integrations, install systemd services, and start local services automatically, but does not present any confirmation prompt or explicit warning before making those system-level changes. This is dangerous because users may trigger privileged persistence or network-exposed processes without understanding what will be modified, especially since the called helper scripts are not shown here and could perform broader actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script creates persistent user systemd unit files that will run local executables from the skill directory, but it gives no warning, consent prompt, or dry-run option before modifying the user's autostart configuration. In an agent skill context, silently installing persistence increases risk because users may not realize the skill will keep running after the initial task completes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The calls to systemctl --user daemon-reload and systemctl --user enable --now immediately change service state and start background processes without any interactive disclosure. This is a real persistence and background-execution behavior, which is especially sensitive for an agent skill because it can outlive the invoking session and continue exposing network services or processing data.

Ssd 3

Medium
Confidence
84% confidence
Finding
The `transcriptText` field contains natural-language instructions directing a downstream agent how to behave, including preserving workflow state and relaying internal handling details. If another agent treats this field as trusted conversational content rather than untrusted data, it can become a cross-component prompt-injection channel that manipulates downstream behavior or leaks workflow context.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal