Vector-Robot
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This skill matches its robot-control purpose, but its helper scripts can execute unintended local code from crafted inputs and its voice proxy is too open for a persistent local service.
Review or fix the helper scripts before using them with untrusted speech text or file paths. If you use the voice proxy, bind it to localhost, add real API-key checking, and avoid installing the LaunchAgent until those controls are in place. Operate the robot only in a safe physical area and be aware that camera snapshots and voice requests may be saved locally.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A phrase that the agent is asked to make Vector say could run commands on the computer running the skill.
The speech text argument is interpolated directly into Python source code instead of being passed as argv/stdin. Crafted text containing Python string delimiters could break out of the quoted string and execute code as the local user.
ENCODED=$(python3 -c "import urllib.parse; print(urllib.parse.quote('''$TEXT'''))")Pass text to Python via sys.argv, stdin, or an environment variable, for example using `python3 -c 'import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1]))' "$TEXT"`, and avoid constructing code from user-controlled text.
A malicious snapshot output path could execute local Python code or write camera images to unintended locations.
The output path argument is expanded into an unquoted Python here-document. A crafted path containing quotes or newlines can alter the generated Python program, and the path is otherwise not constrained.
python3 << EOF
...
with open('$OUTPUT', 'wb') as out:Pass the output path as a Python argument, quote the here-document delimiter where possible, and validate that snapshot files are written only to user-approved locations.
If the proxy is running, other local processes, websites, or possibly LAN clients could interact with the voice-command bridge, inject requests, or receive responses from the local proxy workflow.
The proxy accepts chat-completion requests with permissive CORS, stores raw incoming questions, and starts listening without an explicit localhost bind or Authorization/API-key validation, despite the setup instructions mentioning an API key.
res.setHeader('Access-Control-Allow-Origin', '*');
...
const request = { timestamp: Date.now(), question, raw: data };
fs.writeFileSync(REQUEST_FILE, JSON.stringify(request, null, 2));
...
server.listen(PORT, () => {Bind the server explicitly to `127.0.0.1`, require and verify a secret Authorization/API key, restrict CORS origins, and avoid writing raw prompts or responses unless logging is explicitly enabled.
The Vector voice proxy may keep running after reboot and continue writing logs until the LaunchAgent is unloaded or removed.
The optional installer creates a macOS LaunchAgent that starts the proxy at login and keeps it alive. This is disclosed, but it is persistent background behavior.
<key>RunAtLoad</key> <true/> <key>KeepAlive</key> <true/> ... launchctl load "$PLIST_PATH"
Install the LaunchAgent only if continuous voice integration is needed, and provide or document an uninstall command such as `launchctl unload` plus removal of the plist.
Vector could move, fall, collide with objects, or capture images from its camera if commands are issued in an unsafe setting.
The skill intentionally exposes physical robot movement through wire-pod. The documentation warns about disabled cliff sensors, so this is purpose-aligned but safety-sensitive.
**⚠️ SAFETY: Cliff sensors are DISABLED during behavior control. Be careful with wheel movements!** ... curl -s -X POST "$WIREPOD/api-sdk/move_wheels?lw=100&rw=100&serial=$SERIAL"
Use wheel and camera controls only with explicit user intent, keep the robot in a safe area, and prefer confirmations before movement commands.