ClawHub

Discord Voice

v0.1.6

Real-time voice conversations in Discord voice channels with Claude AI

7· 5.1k·28 current·31 all-time
by@avatarneil
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match what the code and manifests request: a Discord bot token, optional STT/TTS API keys (OpenAI, ElevenLabs, Deepgram), ffmpeg and native build tools. package.json and openclaw.plugin.json list TTS/STT providers and corresponding SDKs (discord.js, @deepgram/sdk, @aws-sdk/client-polly, kokoro-js, @xenova/transformers), which are proportionate to a voice plugin.
!
Instruction Scope
SKILL.md and plugin metadata explicitly support injecting a TTS hint into the agent prompt (noEmojiHint) and route transcribed text through the agent and its session/workspace. That is functionally a prompt-injection channel (the static scan also flagged 'system-prompt-override'). While some hinting is useful for TTS formatting, this capability lets configuration modify agent prompts and thus can influence model behavior beyond simple transcription → reply flow.
Install Mechanism
No opaque remote download/install spec in the registry entry; installation is standard (npm install / git clone). Dependencies are normal NPM packages from known registries. No high-risk custom URL downloads or archive extraction were found in the provided manifests.
Credentials
Declared secrets are proportional: a Discord bot token is required and various optional provider API keys are listed. However the plugin loads core agent dependencies and reads/writes the agent session store and workspace (resolveStorePath, loadSessionStore, ensureAgentWorkspace). That access is likely necessary for maintaining per-guild sessions, but it also gives the plugin programmatic access to agent data and potentially other configuration stored by the host — review host config contents before installing.
Persistence & Privilege
The skill is not force-included (always:false) and follows the platform default allowing autonomous invocation. It can auto-join voice channels if configured and will interact with the agent runtime and session stores — a normal level of privilege for this kind of plugin, but combined with prompt-injection/config-driven hinting this increases the attack surface.
Scan Findings in Context
[system-prompt-override] expected: The SKILL.md and plugin schema include a config option (noEmojiHint) that 'injects TTS hint: ...' into the agent prompt and also strip emojis before TTS. This is a legitimate TTS formatting feature, but it is precisely the kind of capability that the scanner flagged as 'system-prompt-override' because it can alter model input/system hints. Review how this hinting is implemented and whether it can be abused.
What to consider before installing
This plugin is plausible for its purpose but not risk-free. Before installing: 1) Only install from a trusted repository — the registry entry has no homepage. 2) Inspect or run the code in a sandbox and verify no undisclosed network endpoints are present. 3) Restrict access: set allowedUsers so not everyone in a voice channel can trigger API calls. 4) Review and avoid enabling any config that injects prompts/hints into agent input (noEmojiHint or similar) unless you trust the plugin and its configuration. 5) Provide only provider API keys with limited scopes/quotas (don’t reuse a high-privilege key). 6) Don’t set NODE_TLS_REJECT_UNAUTHORIZED=0. 7) If you rely on sensitive host agent data, audit what the plugin reads from the agent workspace/session store. If you want to proceed, run the included smoke-test and monitor network calls and logs during initial use.

Like a lobster shell, security has layers — review code before you run it.

Plugin bundle (nix)
Skill pack · CLI binary · Config
SKILL.mdCLIConfig
Config requirements
latestvk979prsv7phf7gs51wev7ssfg581bdnj

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Config example

Starter config for this plugin bundle.

{
  "plugins": {
    "entries": {
      "discord-voice": {
        "enabled": true,
        "config": {
          "sttProvider": "local-whisper",
          "ttsProvider": "openai",
          "ttsVoice": "nova",
          "vadSensitivity": "medium",
          "streamingSTT": true,
          "bargeIn": true,
          "allowedUsers": []
        }
      }
    }
  }
}

Comments