Back to skill

Security audit

ClawVoice

Security checks across malware telemetry and agentic risk

Overview

This appears to be a disclosed voice skill with x402 payment support, not a hidden or deceptive package, but users should treat its local wallet as sensitive.

Install only if you want a voice skill that can create and use a small local Base USDC hot wallet. Do not fund the wallet with more than you are comfortable letting an agent spend, keep wallet.json private, avoid --approve and withdrawal --yes unless you trust the automation, and only configure talk agent commands you would run yourself.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises capabilities that include network access and environment interaction, but it does not declare permissions or present an explicit permission model in the skill manifest. That mismatch can mislead users and host systems about what the skill may do, especially because it can make paid hosted calls and manage a local wallet, increasing the chance of unintended external communication or use of sensitive local state.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The initializer always calls ensureWallet() and persists a payment-capable wallet even when the user selects local-only voice mode. That unnecessarily expands the attack surface by creating and storing sensitive key material on disk for users who may never need paid features, increasing the risk of credential theft, accidental funding, or unintended spending if the host is compromised or later misconfigured.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The code executes `agentCommand` via `/bin/sh -c`, which allows any configured string to run as an arbitrary shell command. Even if intended to launch a local agent CLI, this design creates command-execution risk from configuration or CLI input and is broader than the stated voice/TTS role, making compromise or misuse materially more dangerous.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This file implements a direct USDC withdrawal capability from a local hot wallet, which materially exceeds a skill described primarily as voice/TTS and x402 paid-call support. Even though the metadata mentions a local Base wallet, adding a generic withdrawal path creates a fund-exfiltration primitive that could be invoked by an agent or operator mistake, especially because the feature is not tightly constrained to payment settlement flows.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger language for invoking ClawVoice is overly broad, mapping common conversational phrases like requests to 'speak' or 'say something out loud' directly into tool execution. This creates a prompt-triggering risk where normal user language, quoted text, or indirect content could cause unexpected voice actions or paid fallback behavior.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill enables persistent session voice mode based on vague phrases like 'from now on' or 'always', without a strong confirmation step or scoped consent. This can cause long-lived behavioral changes from ambiguous language, increasing the chance of repeated unintended tool use and repeated paid calls or privacy issues from speaking future replies aloud.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The `config` command prints the full required configuration directly to stdout, which can expose sensitive operational settings such as wallet policy, service endpoints, conversation settings, or other secrets if they are stored in config. In a voice/payment agent context, users may run this in shared terminals, logs, shell history capture, or support sessions, making accidental disclosure materially more risky.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code records microphone input to a WAV file under a local audio directory and may retain it when the keep option is enabled, while only printing a generic recording prompt. Spoken audio can contain sensitive information, so persistence without clear notice, retention controls, or secure handling creates a privacy and data-exposure risk, especially on shared systems or if the audio directory is broadly accessible.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This code generates a new wallet private key and persists it locally to disk without any explicit user consent, warning, or setup-time disclosure that a spend-capable credential is being created. In the context of a voice skill with a local Base wallet for paid x402 calls, silent key creation increases the chance that users unknowingly store a hot wallet on disk, which can be exposed through local compromise, backups, misconfigured permissions, or other software on the host.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
if (!flags.yes) {
    if (!isInteractive()) {
      throw new Error("Refusing to withdraw without confirmation in a noninteractive shell. Re-run with --yes.");
    }
    const ok = await askYesNo("\nSend this withdrawal now?", false);
    if (!ok) {
Confidence
83% confidence
Finding
without confirmation

Unpinned Dependencies

Low
Category
Supply Chain
Content
"dependencies": {
    "@x402/core": "2.11.0",
    "@x402/evm": "2.11.0",
    "viem": "^2.0.0"
  },
  "overrides": {
    "ws": "8.21.0"
Confidence
93% confidence
Finding
"viem": "^2.0.0"

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
lib/local-runtime.js:42

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
lib/mic.js:18

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
lib/playback.js:77

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
lib/python.js:19

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
lib/stt.js:44

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
lib/talk.js:11

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
lib/tts-local.js:48

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/release-pack.js:12