ClawHub

xiaoai-ha-control

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a XiaoAI/OpenClaw bridge, but it exposes broad unauthenticated command-forwarding and stores voice-derived text locally.

Review before installing. Only run this on a trusted, firewalled host; bind the bridge to localhost or a private interface, add authentication, and restrict what XiaoAI-originated input can trigger. Be aware that spoken or Home Assistant conversation text may be saved locally and forwarded to the main OpenClaw agent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Tainted flow: 'OPENCLAW_BIN' from os.environ.get (line 22, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
def run_openclaw(prompt: str) -> tuple[str, str, int]:
    proc = subprocess.run(
        [OPENCLAW_BIN, 'agent', '--agent', 'main', '--message', prompt],
        capture_output=True,
        text=True,
Confidence
93% confidence
Finding
proc = subprocess.run( [OPENCLAW_BIN, 'agent', '--agent', 'main', '--message', prompt], capture_output=True, text=True, timeout=OPENCLAW_TIMEOUT, )

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The forwarding logic explicitly allows any source other than xiaoai-speaker to be forwarded automatically to OpenClaw. That means arbitrary clients can use this bridge as a generic command/message injection path into the main agent, expanding the trust boundary far beyond the stated XiaoAI-only integration.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The HTTP server binds to 0.0.0.0 and exposes a POST endpoint with no authentication, authorization, or integrity protection. On any reachable network, an attacker can submit arbitrary text for forwarding to OpenClaw and potentially trigger downstream actions, making the skill context especially dangerous because it bridges into home automation and voice-control workflows.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script forwards XiaoAi-originated content into a general-purpose OpenClaw agent with instructions to decide whether to handle or delegate the task to other sub-agents. That expands the trust boundary from simple voice-speaker control into broader autonomous routing, so untrusted spoken input can trigger unintended downstream actions or data flows beyond the skill’s stated core control function.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The script stores the full last XiaoAi message on disk in a predictable file under the skill directory, even though persistent storage is not required to produce the spoken response. This creates unnecessary retention of potentially sensitive voice-derived content and increases exposure to local disclosure, accidental reuse, or improper access by other processes/users.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger rule is overly broad: any normal chat mentioning “小爱/小爱同学” is routed to this control skill. That can cause unintended execution of device-control, speech, or playback actions from conversational references, increasing the risk of prompt-routing abuse and accidental command dispatch in a security-sensitive home automation context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation describes actions that can change device behavior, fetch external audio URLs, and bridge voice content into another system, but it does not clearly warn about privacy, network egress, and real-world side effects. In this context, lack of explicit safety guidance can lead users or upstream agents to invoke powerful actions without informed consent or proper validation.

Missing User Warnings

Medium
Confidence
76% confidence
Finding
The service stores incoming voice text in multiple local files and logs without minimization or access controls shown in code. In a voice-assistant bridge, this can expose sensitive spoken content, commands, personal data, or household information to other local users, backups, or log collectors.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script persists raw user conversation content to local files (`ha_conversation_content.txt` and `xiaoai_to_butler_last_message.txt`) without any minimization, retention control, or visible consent mechanism in the implementation. Because this skill handles voice-assistant conversations, the stored text may contain sensitive personal data, commands, or household information, increasing privacy and data-exposure risk if the host is multi-user, backed up, or otherwise accessible.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes user-provided XiaoAi content to disk without any visible notice, consent, or retention policy. Because voice-originated messages may contain personal requests, names, schedules, or home-related information, undisclosed logging materially increases privacy risk even if no direct code execution occurs.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sends XiaoAi-derived user content to the external `openclaw` agent process without visible disclosure or consent. In this skill context, the message may contain household commands or personal information, and transferring it to another agent broadens processing scope and privacy exposure beyond simple local speaker control.

VirusTotal

VirusTotal engine telemetry is currently stale for this artifact.

View on VirusTotal