ClawHub

SenseAudio Voice CN

Security checks across malware telemetry and agentic risk

Overview

The skill does the advertised voice features, but it can silently reuse a SenseAudio API key from an unrelated OpenClaw agent config and sends voice/text data to external services.

Review before installing if you have shared OpenClaw configs or private voice/text data. Use a dedicated SenseAudio API key, avoid confidential recordings or prompts unless you accept third-party processing, and delete generated audio files when the content or filename previews are sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script reads SENSE_API_KEY from unrelated local OpenClaw configuration files, which expands its trust boundary and may unexpectedly consume secrets from another app context. This can cause credential confusion, use of unintended accounts, and surprise access to sensitive local configuration data without clear user consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README directs users to use remote TTS providers and configure an API key, but it does not clearly warn that input text will be transmitted to third-party services such as SenseAudio or Microsoft Edge TTS. This can lead users to unknowingly send sensitive prompts, personal data, or confidential content off-device, which is a real privacy and data-handling risk in a voice skill.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script sends user-provided audio and an API credential to a remote third-party service without an explicit warning at execution time, which can lead to uninformed transmission of sensitive voice data. In a skill context, users may assume local processing unless clearly told otherwise, increasing privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal