EVEZ DAW Agent
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: evez-daw-agent Version: 1.0.0 The skill implements a local music synthesis engine and DAW. A path traversal vulnerability exists in the `/api/chop` endpoint within `evez_daw.py`, where the `sample_path` parameter is passed directly to `soundfile.read()` without any sanitization or validation. This could allow an attacker to attempt to read arbitrary files from the host system. While the code appears functionally aligned with its stated purpose and lacks explicit exfiltration logic, the lack of input validation on file paths is a significant security flaw.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the port is exposed beyond the local machine, another user on the network might be able to call the audio-generation endpoints.
The skill asks the user to launch a local HTTP API server. This is coherent with the DAW API purpose, but any locally running API should be kept scoped to trusted users and networks.
python3 evez_daw.py --port 9112
Run it only when needed, prefer localhost-only access if supported, and do not expose port 9112 to untrusted networks.
The skill may not run until dependencies are installed, and installing them manually should be done from trusted package sources.
The code depends on third-party Python libraries, while the supplied install specifications do not pin or declare dependency installation. This is an operational/provenance note rather than evidence of malicious behavior.
import numpy as np import soundfile as sf from scipy import signal
Use a virtual environment and install required Python packages from trusted repositories; review dependency versions if reproducibility matters.
Using the drumkit feature will create files on disk in the skill's directory.
The drumkit generator creates persistent directories and WAV files under the skill directory. This is expected for a drumkit-generation feature, but users should be aware that it writes files locally.
kd=BASE_DIR/"drumkits"/name; kd.mkdir(parents=True,exist_ok=True)
Run the skill from a location where generated audio files are acceptable, and clean up generated drumkits if no longer needed.