ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

H-ear

v1.0.0

H-ear.world transforms sound into an actionable, meaningful translation layer of the world around you. Describe, share and act upon audio as a spatiotemporal...

1· 239·0 current·0 all-time
byPaul Day@badajoz95
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
Capability signals
Requires OAuth token
These labels describe what authority the skill may exercise. They are separate from suspicious or malicious moderation verdicts.
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description, commands, and code all implement an audio-classification CLI/client using an H-ear API key — that is coherent. However the SKILL metadata claims an instruction-only skill while a full TypeScript codebase is present, and the code expects an external binary (ffmpeg) for capture even though no required binaries are declared.
!
Instruction Scope
SKILL.md claims the OpenClaw gateway will 'manage webhook endpoints automatically' and that users don't need external endpoints, but the code (alerts.ts, webhook creation, classify-batch) requires or accepts explicit callbackUrl values and enforces a callbackUrl for alert registration. The CLI also reads local files, spawns ffmpeg, and can capture from RTSP sources — behaviors not reflected in the declared runtime requirements and with privacy implications (RTSP camera capture).
Install Mechanism
No install specification is provided (lowest install risk), but the package.json declares a dependency on @h-ear/core. There are no downloads from unknown URLs or archive extraction. The discrepancy is that the skill claims to be instruction-only yet includes full source and a packaged CLI.
!
Credentials
Declared required env vars in metadata are HEAR_API_KEY and HEAR_ENV (primary credential HEAR_API_KEY), which is appropriate. But the code also reads HEAR_BEARER_TOKEN (documented as an alternative in README/SKILL.md) and optional HEAR_BASE_URL and LISTEN_RTSP_URL — these are used but not listed in the metadata requires.env. The CLI will also use LISTEN_RTSP_URL for RTSP capture, a potentially sensitive source. Ensure the platform will supply or gate these variables and avoid giving high-privilege API keys unnecessarily.
Persistence & Privilege
Skill is not always-on and does not request permanent platform presence. It does not modify other skills or global configuration. It can run autonomously per platform defaults, which is normal.
What to consider before installing
This skill appears to implement legitimate audio-classification features, but there are several mismatches you should resolve before installing: - ffmpeg is invoked by the CLI for RTSP/audio capture but is not declared in required binaries. If you plan to use capture/listen features, ensure ffmpeg is installed and consider the security/privacy of reading RTSP streams (LISTEN_RTSP_URL). - The SKILL.md/metadata omit environment variables that the code reads (HEAR_BEARER_TOKEN, HEAR_BASE_URL, LISTEN_RTSP_URL). Confirm which env vars OpenClaw will provide and avoid supplying high-privilege production keys if not necessary. - SKILL.md states webhooks are managed by the OpenClaw gateway and no external endpoint is needed, but the code requires or uses callbackUrl parameters and includes webhook creation/listing functions. Ask the author whether the client integrates with the gateway automatically or whether it will register webhooks pointing to external URLs (and what those URLs will be). - The package includes full source and depends on @h-ear/core. Audit that package (source/repo) before trusting keys. Verify the repository and npm package provenance (publisher, repository URL, checksums). If you cannot obtain clarifications, treat this skill as risky: do not provide production API keys, avoid enabling RTSP capture or webhook registration, and prefer scoped/test credentials. If you want help formulating specific questions to the author or checking the @h-ear/core package, I can draft them.
src/cli.ts:62
Shell command execution detected (child_process).
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.

Like a lobster shell, security has layers — review code before you run it.

latestvk9754x885x59b25j7vn3y9e1th84qesn

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

EnvHEAR_API_KEY, HEAR_ENV
Primary envHEAR_API_KEY

Comments