Back to skill
Skillv2.0.1
VirusTotal security
Voice TTS/ASR · External malware reputation and Code Insight signals for this exact artifact hash.
Scanner verdict
SuspiciousApr 30, 2026, 5:43 AM
- Hash
- 97b013ec21b0ebe3812f70078c9069ea84bb4b3259ad755afb779207e4a74b45
- Source
- palm
- Verdict
- suspicious
- Code Insight
- Type: OpenClaw Skill Name: voice-tts Version: 2.0.1 The skill exhibits several high-risk patterns and vulnerabilities. Most notably, 'lib/config.mjs' and 'scripts/send_voice_reply.mjs' use 'vm.runInNewContext' to parse the main OpenClaw configuration file (~/.openclaw/openclaw.json), which constitutes a potential Remote Code Execution (RCE) vulnerability if the configuration file is tampered with. Additionally, 'bin/voice-asr.mjs' employs a prompt-injection technique by appending mandatory 'system-level' instructions to transcribed text to force the agent into using specific tools, which could be abused to hijack agent behavior. Finally, core logic files referenced in the code ('scripts/whisper' and 'scripts/edge_tts') are missing from the provided bundle, preventing a full security audit of the actual ASR/TTS execution.
- External report
- View on VirusTotal