Skillv1.0.0

ClawScan security

Omi Integration · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 5, 2026, 1:31 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill mostly matches its stated purpose (syncing Omi recordings via API and webhooks), but there are inconsistencies and a notable security issue in the webhook handler that could let remote webhook senders write files outside the intended storage directory if the webhook endpoint is exposed without proper secrets.
Guidance: This skill implements the advertised sync/webhook features, but review these before installing or exposing it: - Required binaries mismatch: ensure you have python3 and ngrok installed in addition to curl and jq; the SKILL metadata omits python3/ngrok. - Secure your webhook: set OMI_WEBHOOK_SECRET before exposing the webhook (ngrok will make the endpoint public). Without a secret anyone can send events to your server. - Fix path traversal risk: the webhook handler uses recording IDs from incoming JSON to build filesystem paths without sanitization. If the webhook is reachable an attacker could craft a recording_id containing '../' or other segments to create/overwrite files outside the intended storage. Only run the server publicly after adding input validation or forcing canonical/safe filenames (strip or reject slashes, normalize and ensure paths remain under the storage directory). - Audit exposed behaviors: the server runs handler scripts with untrusted network input; check/limit what the handler does, and consider running the webhook server behind a firewall or proxy that restricts source IPs or requires authentication. - Missing or misleading docs: PROJECT.md mentions other scripts and registries not included in this package — be cautious that the repo metadata may reflect a larger project and not all components are bundled here. If you plan to use this skill: - Run it locally first, do not expose via ngrok until you set a webhook secret and verify that recording IDs are sanitized. - Consider running the webhook server under a dedicated, limited account or container to reduce blast radius. - If you cannot audit or patch the handler, do not expose the webhook publicly.

Review Dimensions

Purpose & Capability: noteThe scripts and server implement the advertised features (API sync, webhook server, ngrok helper, local storage). However the SKILL metadata only declares curl and jq as required binaries while the runtime scripts also require python3 (webhook server) and ngrok (setup helper). PROJECT.md and other docs mention additional utilities and higher-level device registration scripts that are not included, which is inconsistent with the packaged files.
Instruction Scope: concernThe webhook server and handler accept JSON payloads from the network and write data directly into ~/omi_recordings using fields from the payload (e.g., recording id, created_at) to build filesystem paths. The handler concatenates the recording id into a path without sanitization, which allows path-traversal-style payloads (e.g., recording_id containing '..' or absolute segments) to create or overwrite files outside the intended per-recording directory if the webhook endpoint is reachable and unprotected. The SKILL.md notes an optional webhook secret but does not require it; the setup instructions encourage exposing the endpoint with ngrok, which would make this attack surface public if the secret is not set.
Install Mechanism: noteThis is instruction-only (no automated installer), which reduces automatic risk, but the provided scripts will be placed on disk and executed by the user. The runtime requires programs not declared in the metadata (python3 and ngrok). There is no packaged binary download; no installers are executed automatically by the skill.
Credentials: okThe skill does not request unrelated credentials or environment variables in the registry metadata. It asks the user to store an Omi API key in a file (~/.config/omi/api_key) and optionally uses OMI_WEBHOOK_SECRET/OMI_WEBHOOK_PORT environment variables. That is proportionate to its function. (Note: PROJECT.md references other credential files for a larger 'voice-capture-hub' that are not included here.)
Persistence & Privilege: okThe skill is not marked always:true and does not request system-wide privileges. It runs a local HTTP server and writes files under the user's home directory (~/omi_recordings and ~/.config/omi) which is expected for this functionality. It does not change other skills' configs.