ClawHub

Voice Bridge Light

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a legitimate voice API, but it exposes an unauthenticated network service and recommends running it persistently as root.

Review carefully before installing. Use Piper instead of Edge TTS for sensitive text, bind the service to 127.0.0.1 or firewall it, add authentication or trusted-origin restrictions before exposing it, and run any systemd service as a dedicated unprivileged user rather than root.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly states that Edge TTS is online and requires access to Microsoft services, but it does not clearly warn users that submitted text may leave the local environment and be transmitted to a third party. In a voice/STT/TTS bridge, input text can contain sensitive data, so missing disclosure creates a real privacy and compliance risk even if the transmission is expected by the feature design.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill explicitly supports an online TTS backend (Edge TTS) and exposes HTTP endpoints for submitting text and audio, but it does not warn that user content may be transmitted to external services or over the network. This can lead operators to unknowingly send sensitive speech or text off-host, creating a real privacy and compliance risk even if the functionality is intentional.

Session Persistence

Medium
Category
Rogue Agent
Content
Enable and start:
```bash
systemctl daemon-reload
systemctl enable voice-bridge-light.service
systemctl start voice-bridge-light.service
```
Confidence
92% confidence
Finding
systemctl enable

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal