Skillv1.0.6

ClawScan security

Audio Play · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 8, 2026, 9:07 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions and plugin metadata refer to a local Python script and an absolute Windows path that are not included in the package, which is internally inconsistent and could cause the agent to access files on your machine or fail to run as described.
Guidance: Do not install or run this skill as-is. Before proceeding, ask the publisher to: (1) include the referenced script (scripts/audio_play.py) and any other code files in the package, or change the plugin entry to a bundled relative path; (2) explain why the skill needs WSL/Windows executable access and list any binaries it will run; (3) provide a minimal, reviewable implementation (or source link) so you can inspect exactly what will be executed; and (4) confirm the skill will not read arbitrary files outside its working directory. If you must test it, run it in an isolated environment (sandbox/VM) and do not grant it access to sensitive directories.

Review Dimensions

Purpose & Capability: concernThe stated purpose (play audio on Windows) is plausible, but the package contains no code to perform that action. The plugin's entry points to an absolute host path (/mnt/h/.../audio_play.py) that is not bundled — this does not align with a distributable skill and suggests reliance on files on the user's filesystem.
Instruction Scope: concernSKILL.md instructs the agent to run a local Python script via WSL (wsl -> python.exe scripts/audio_play.py) and to access Windows paths (/mnt/h/...). Those instructions require reading/launching executables on the host machine and a visible desktop. The referenced script and paths are missing from the package, so the instructions either can't be executed or would force the agent to access unspecified local files.
Install Mechanism: concernThere is no install spec (instruction-only), which is low risk in general, but the plugin metadata (openclaw.plugin.json) sets entry to an absolute host filesystem path rather than a bundled relative entry. That mismatch is suspicious because it implies the skill expects code outside the package.
Credentials: concernThe skill declares no environment variables or credentials, yet its instructions require WSL access, launching Windows executables, and reading from /mnt/h. While not explicitly requesting secrets, the skill implicitly needs permission to access arbitrary host file paths and execute local programs — capability not conveyed in the metadata.
Persistence & Privilege: okThe skill does not request permanent presence (always:false) and does not declare actions that modify other skills or global agent settings. Autonomous invocation is allowed (default), which is normal and not by itself a red flag.