Webchat Audio Notifications
PassAudited by ClawScan on May 1, 2026.
Overview
This appears to be a coherent browser audio-notification add-on, with only normal review points around local browser storage and verifying bundled/package assets.
This skill looks reasonable for its stated purpose. Before using it in a real webchat, verify the bundled Howler library and sound files, review the manual HTML/socket integration changes, and avoid uploading sensitive audio as a custom notification sound.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The bundled library will run inside the webchat page, so a tampered dependency could affect that page.
The skill bundles a minified third-party audio library from a CDN. This is expected for browser audio and is disclosed, but users should verify it matches the stated upstream Howler release because minified bundled code is harder to inspect.
**client/howler.min.js** (36KB) - Downloaded from CDN - v2.2.4 (latest stable) - Handles cross-browser audio
Verify the bundled Howler file against the official release or use a trusted package source before deploying to a production webchat.
Notifications may fail or users may need to locate missing sound assets before deployment.
The skill metadata references bundled sound files, while the provided file manifest only lists documentation under client/sounds and does not list the referenced MP3 assets. This is an install/package completeness issue rather than evidence of malicious behavior.
- client/sounds/notification.mp3 - client/sounds/alert.mp3
Confirm the installed package contains the expected audio files, or obtain them from the stated official repository rather than an untrusted source.
A user-selected sound file and its filename can remain stored in the browser after upload.
Uploaded custom sound files are converted to a data URL and stored persistently in browser localStorage. The code also bounds type and size, and this behavior is consistent with the documented custom-sound feature.
this._setPreference('customSoundData', dataUrl);
this._setPreference('customSoundName', file.name);Do not upload sensitive/private audio as a notification sound; use the remove custom sound option or clear browser storage if needed.