Credential exposure instructions
Critical
- Finding
- Instructions expose credentials through shell, git config, or agent memory.
ClawdTalk
Security checks across static analysis, malware telemetry, and agentic risk
Overview
ClawdTalk is mostly coherent for voice/SMS use, but it gives an external voice service persistent access to route requests into the user's main agent and broadly stores mission activity in server-side memory.
Review this carefully before installing. It is designed to connect your phone/SMS workflows to your main agent through ClawdTalk, but that means an always-on external service can route call content into your agent and store mission activity server-side. Use a restricted agent or limited tool set if possible, avoid sharing secrets over calls or mission memory, and only enable sessions_send/background startup if you trust the service and need always-on voice access.
Static analysis
Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
Exposed secret literal
Critical
- Finding
- File appears to expose a hardcoded API secret or token.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI02: Tool Misuse and Exploitation
High
What this means
If enabled, voice-call traffic routed through ClawdTalk can reach the user's main agent session and potentially trigger the agent's normal tools and automations.
Why it was flagged
The setup script asks to enable sessions_send on the gateway HTTP tools API, which lets the ClawdTalk bridge send requests into the main agent session. The script explains this is normally blocked by OpenClaw for security.
Skill content
read -p " Add sessions_send to gateway.tools.allow? (Y/n): " add_allow ... jq '.gateway.tools.allow = ((.gateway.tools.allow // []) + ["sessions_send"] | unique)' "$GATEWAY_CONFIG"
Recommendation
Only enable sessions_send if you trust ClawdTalk and understand which callers can access the phone number. Consider using a dedicated agent or restricted gateway profile for voice calls.
#
ASI03: Identity and Privilege Abuse
High
What this means
A call routed through this skill may be able to use the same connected services and privileges as the user's main agent, including workplace or account tools if the agent has them.
Why it was flagged
The voice context tells the agent that calls have full tool access, which is broad delegated authority for a phone/WebSocket interaction rather than a tightly scoped voice-only capability.
Skill content
You have FULL tool access: Slack, memory, web search, etc. Use them when needed.
Recommendation
Before using inbound voice control, restrict the agent's available tools where possible and require explicit approvals for actions that send messages, change data, spend money, or affect accounts.
#
ASI06: Memory and Context Poisoning
Medium
What this means
Phone numbers, message contents, outreach status, errors, or other task details may be stored server-side and later reused or displayed by the frontend.
Why it was flagged
The skill requires broad persistence of mission activity to server memory, but the provided instructions do not clearly limit sensitive content, retention, or reuse.
Skill content
Every significant action MUST be persisted using `save-memory` or `append-memory` IMMEDIATELY after the action succeeds... No exceptions.
Recommendation
Avoid storing secrets or unnecessary personal data in mission memory, and confirm with the provider how long memory is retained and who can access it.
#
ASI07: Insecure Inter-Agent Communication
Medium
What this means
Conversation content and tool results from voice interactions are shared with clawdtalk.com.
Why it was flagged
The skill clearly discloses that voice transcripts, tool results, and conversation state are sent through an external WebSocket service.
Skill content
`https://clawdtalk.com` (WebSocket) | `ws-client.js` | Voice transcripts, tool results, conversation state
Recommendation
Install only if you trust ClawdTalk/Telnyx with call transcripts, SMS content, and tool-result data.
#
ASI10: Rogue Agents
Medium
What this means
The ClawdTalk connection can remain active in the background across reboots, continuing to bridge calls to the local agent.
Why it was flagged
The README recommends keeping the WebSocket client running after reboot via cron. This persistence is purpose-aligned for inbound calls but important for users to understand.
Skill content
@reboot cd ~/clawd/skills/clawdtalk-client && ./scripts/connect.sh start
Recommendation
Use background or reboot startup only if you want always-on phone access, and know how to stop it with `./scripts/connect.sh stop` or remove the cron entry.
#
ASI04: Agentic Supply Chain Vulnerabilities
Low
What this means
Running the updater can overwrite skill files with code from the GitHub release.
Why it was flagged
The update script downloads release archives from GitHub and verifies a SHA256 checksum from the release assets. This is user-confirmed and safer than an unchecked download, but it still depends on GitHub release provenance.
Skill content
curl -sL "$ZIP_URL" -o "$ARCHIVE_ZIP" ... if [ "$EXPECTED_SHA" != "$ACTUAL_SHA" ]; then ... Aborting update.
Recommendation
Run updates only from the official repository and review release notes or diffs before updating.