Vector-Robot
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: vector-robot Version: 1.0.0 The skill bundle is classified as suspicious primarily due to the `scripts/install-launchagent.sh` file, which creates a macOS LaunchAgent for persistence. This script installs `com.openclaw.vector-proxy.plist` to `~/Library/LaunchAgents/`, ensuring the `proxy-server.js` runs at startup and stays alive. While the `proxy-server.js` itself appears to be a benign local proxy for robot voice interaction (listening on localhost, writing/reading to local `request.json`/`response.json` files, and not making external network calls), the establishment of a persistent service is a high-risk capability that could be leveraged for malicious purposes if the proxied component were compromised or altered. There is no clear evidence of intentional data exfiltration, remote execution, or malicious prompt injection within the provided files, but the persistence mechanism elevates it beyond benign.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A phrase that the agent is asked to make Vector say could run commands on the computer running the skill.
The speech text argument is interpolated directly into Python source code instead of being passed as argv/stdin. Crafted text containing Python string delimiters could break out of the quoted string and execute code as the local user.
ENCODED=$(python3 -c "import urllib.parse; print(urllib.parse.quote('''$TEXT'''))")Pass text to Python via sys.argv, stdin, or an environment variable, for example using `python3 -c 'import sys, urllib.parse; print(urllib.parse.quote(sys.argv[1]))' "$TEXT"`, and avoid constructing code from user-controlled text.
A malicious snapshot output path could execute local Python code or write camera images to unintended locations.
The output path argument is expanded into an unquoted Python here-document. A crafted path containing quotes or newlines can alter the generated Python program, and the path is otherwise not constrained.
python3 << EOF
...
with open('$OUTPUT', 'wb') as out:Pass the output path as a Python argument, quote the here-document delimiter where possible, and validate that snapshot files are written only to user-approved locations.
If the proxy is running, other local processes, websites, or possibly LAN clients could interact with the voice-command bridge, inject requests, or receive responses from the local proxy workflow.
The proxy accepts chat-completion requests with permissive CORS, stores raw incoming questions, and starts listening without an explicit localhost bind or Authorization/API-key validation, despite the setup instructions mentioning an API key.
res.setHeader('Access-Control-Allow-Origin', '*');
...
const request = { timestamp: Date.now(), question, raw: data };
fs.writeFileSync(REQUEST_FILE, JSON.stringify(request, null, 2));
...
server.listen(PORT, () => {Bind the server explicitly to `127.0.0.1`, require and verify a secret Authorization/API key, restrict CORS origins, and avoid writing raw prompts or responses unless logging is explicitly enabled.
The Vector voice proxy may keep running after reboot and continue writing logs until the LaunchAgent is unloaded or removed.
The optional installer creates a macOS LaunchAgent that starts the proxy at login and keeps it alive. This is disclosed, but it is persistent background behavior.
<key>RunAtLoad</key> <true/> <key>KeepAlive</key> <true/> ... launchctl load "$PLIST_PATH"
Install the LaunchAgent only if continuous voice integration is needed, and provide or document an uninstall command such as `launchctl unload` plus removal of the plist.
Vector could move, fall, collide with objects, or capture images from its camera if commands are issued in an unsafe setting.
The skill intentionally exposes physical robot movement through wire-pod. The documentation warns about disabled cliff sensors, so this is purpose-aligned but safety-sensitive.
**⚠️ SAFETY: Cliff sensors are DISABLED during behavior control. Be careful with wheel movements!** ... curl -s -X POST "$WIREPOD/api-sdk/move_wheels?lw=100&rw=100&serial=$SERIAL"
Use wheel and camera controls only with explicit user intent, keep the robot in a safe area, and prefer confirmations before movement commands.