openclaw-voice
PassAudited by ClawScan on May 1, 2026.
Overview
The skill appears to be a local transcript and voice-profile manager, with the main things to notice being persistent transcript storage, shared interchange files, and a normal npm native dependency install.
This looks reasonable for local transcript management. Before installing, be comfortable with npm installing the SQLite dependency, and remember that transcripts, summaries, and backups persist on disk; use backup/restore carefully and review shared interchange files before putting sensitive voice content into the skill.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Conversation summaries and profile descriptions may become durable context for other agents, which can expose sensitive details or let misleading text influence later agent behavior.
The skill intentionally persists voice/conversation context into shared Markdown files that other agents may later consume, so sensitive or instruction-like summaries/profile descriptions can be reused outside the original conversation.
Running `voice refresh` generates `.md` files summarizing recent conversations, transcript excerpts, and profile configurations. Other agents can read these via `@openclaw/interchange` to understand conversation context.
Avoid storing secrets or prompt-like instructions in summaries/profile descriptions, review the generated interchange files, and clear the local database/interchange files when needed.
During installation, npm may build or fetch a native SQLite component under the user's normal npm permissions.
Installing the package may run a native dependency install script for better-sqlite3. This is purpose-aligned for local SQLite use and the lockfile provides package integrity, but users should still recognize that npm install is not purely static file copying.
"node_modules/better-sqlite3": { ... "hasInstallScript": true, ... "dependencies": { "bindings": "^1.5.0", "prebuild-install": "^7.1.1" } }Install from a trusted package source, keep the lockfile intact, and review dependency updates before upgrading.