Clack
PassAudited by ClawScan on May 1, 2026.
Overview
Clack’s artifacts coherently implement a voice relay server, but installation grants a persistent server access to OpenClaw credentials, optional speech-provider keys, voice data, and local conversation history.
Clack appears purpose-aligned, but install it only on a server you control. Be comfortable granting sudo access, creating a systemd service, using the OpenClaw gateway token, and optionally storing speech-provider keys. Keep the relay port firewalled, use WSS or Tailscale, protect logs/history, and uninstall or rotate tokens if you stop using it.
Findings (8)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The Clack service can submit chat-completion requests to the user's OpenClaw gateway using that token.
The setup script reads the local OpenClaw gateway token from the user's OpenClaw config so the relay can call the gateway.
_GW_TOKEN=$(python3 -c "import json; c=json.load(open('$OPENCLAW_CONFIG')); print(c.get('gateway',{}).get('auth',{}).get('token',''))" 2>/dev/null)Install only on a server you control, keep the gateway and relay tokens secret, and rotate tokens if the host or skill directory is no longer trusted.
Future dependency changes or compromised package sources could affect the service running on the host.
The privileged setup installs Python dependencies without version pins as part of service installation.
"$SKILL_DIR/venv/bin/pip" install -q fastapi uvicorn aiohttp websockets
Run setup on a maintained machine, consider pinning/auditing dependencies for production use, and avoid running updates blindly on sensitive hosts.
Enabling this endpoint is necessary for Clack, but it expands what the gateway can serve to authenticated clients.
The setup can modify the OpenClaw gateway configuration to enable the chat-completions endpoint, but it asks for confirmation first.
read -rp " Enable it now? (Y/n): " _CC_CONFIRM ... ['chatCompletions']['enabled']=True
Approve this change only if you intend to use Clack, and keep gateway access restricted by token and network controls.
Clack will keep running after setup and can accept relay connections according to its auth and network configuration.
The skill intentionally installs a persistent background service for the relay.
It creates a venv, installs deps, prompts for API keys, configures a systemd service, and optionally sets up SSL.
Use the documented `clack status`, `clack logs`, `clack restart`, and `clack uninstall` commands, and firewall the relay port as instructed.
Voice-chat transcripts and agent replies may persist locally and influence later conversations.
The server is designed to retain conversation history across sessions.
CLACK_HISTORY_DIR - History storage dir (default: /var/lib/clack/history) CLACK_MAX_HISTORY - Max messages to keep (default: 50)
Reduce or disable retained history if needed, protect the history directory, and clear it before sharing or decommissioning the server.
Sensitive spoken content may be visible to local administrators or anyone with access to Clack's logs.
The STT code prints excerpts of transcribed speech, which can appear in local service logs.
print(f"[STT/openai] Text: '{text[:200]}'")Treat service logs as sensitive and adjust logging if you use Clack for private conversations.
Voice audio, transcripts, and replies may be processed by the configured external providers and the OpenClaw gateway.
The core design routes audio/text between the client, speech providers, and the OpenClaw gateway.
Client audio (PCM 16kHz/16-bit/mono) → STT → OpenClaw Gateway → TTS → PCM audio back
Use only providers you trust, prefer on-device speech mode for sensitive audio, and require WSS or Tailscale as documented.
A user might over-rely on the badge instead of considering the privileged setup and credential handling.
The README includes a benign-rating badge, which is a trust signal users should not treat as a substitute for current review.
[]
Evaluate the current artifacts and required permissions directly, regardless of any badge or prior-rating claim.