ClawHub

Voice Agent

Security checks across malware telemetry and agentic risk

Overview

This voice-cloning and calling skill is mostly coherent, but it asks for broad account, credential, and telephony control without enough scoping or consent safeguards.

Install only if you are comfortable granting an agent access to ElevenLabs, possible browser sessions or account credentials, voice samples, Twilio calling credentials, lead phone data, and call transcripts. Prefer manually created scoped API keys in a secret store, avoid shared .env files, require explicit approval before login, key creation, voice cloning, Twilio connection, or outbound calls, and define consent, disclosure, transcript retention, redaction, opt-out, credential rotation, and shutdown procedures before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs autonomous login to a third-party account and retrieval of credentials/API keys, which goes well beyond ordinary text-to-speech generation. Automating browser login and harvesting secrets from active sessions materially increases the risk of credential theft, account takeover, and unauthorized use of paid services.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill explicitly directs writing harvested credentials into a global .env file, expanding the blast radius beyond this skill's own workspace. Persisting secrets in a shared environment file makes them accessible to unrelated processes and skills and increases the chance of accidental disclosure.

Scope Creep

High
Confidence
98% confidence
Finding
The documentation instructs writing a secret to /docker/openclaw-yyvg/.env, which is outside the skill's declared writable scope. This bypasses least-privilege boundaries and can tamper with global runtime configuration or expose credentials to other components in the container.

Scope Creep

High
Confidence
96% confidence
Finding
The browser-login flow reads ELEVENLABS_EMAIL and ELEVENLABS_PASSWORD from environment variables even though env-secret access is not properly declared and is not narrowly justified. Pulling raw account credentials into an automation flow significantly raises the risk of secret leakage through logs, screenshots, prompts, or browser tooling.

Scope Creep

High
Confidence
98% confidence
Finding
This step again instructs persisting an API key into an undeclared global .env path, compounding the risk of cross-skill secret exposure. Repeatedly encouraging writes outside the allowed workspace suggests a systemic disregard for permission boundaries.

Scope Creep

High
Confidence
94% confidence
Finding
Saving IDs and related configuration to .env outside declared writable locations exceeds the skill's stated boundaries and normalizes writing operational data into shared global configuration. Even if the value is not itself a password, this pattern can expose identifiers and encourage broader unsafe secret handling.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill includes apt-based installation and package modification steps, which are privileged system changes not tightly necessary for a documentation-only voice workflow. Allowing arbitrary package installation expands the attack surface and can be abused to alter the container state or pull in unsafe dependencies.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly promotes autonomous login to ElevenLabs, API key creation, and use of email/password or active Google sessions, but provides no warning about the sensitivity of those credentials or that the skill will modify a third-party account. In an agentic environment, this is dangerous because it encourages unattended account access and persistent secret generation, which can lead to credential misuse, unauthorized account changes, or unintended billing and data exposure.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README advertises automated inbound/outbound calls and Telegram notifications without any notice about consent, call recording, lead data handling, or transmission of personal information to Twilio, ElevenLabs, and Telegram. Because this skill is specifically designed to interact with prospects at scale using cloned voice and call automation, the missing privacy and consent guidance materially increases the risk of unlawful outreach, deceptive impersonation, and exposure of sensitive customer data.

Missing User Warnings

High
Confidence
90% confidence
Finding
The skill does not clearly warn users that it will automatically capture and store credentials during self-configuration. Lack of explicit informed consent around credential handling is dangerous because users may unknowingly authorize account access and persistent secret storage.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill lacks a clear upfront warning that it will create a synthetic voice clone and may place automated calls using the principal's voice. Because voice cloning and outbound calling have significant fraud, impersonation, regulatory, and reputational implications, missing disclosure makes the skill materially more dangerous in context.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The metadata notes that call transcripts and outcomes are sent through Telegram, but the skill lacks a strong privacy warning about this external transmission of conversation data. Sharing transcripts to a messaging platform can leak sensitive business or personal information if users are not clearly informed and controls are weak.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The prompt instructs the voice agent to send Calendly links, free resources, and reference prior email contact or voicemail without any explicit consent, disclosure, or safeguards around using the caller’s phone number and contact data. In a voice-calling skill that automates inbound and outbound calls via Twilio and ElevenLabs, this creates a real privacy/compliance risk because the agent may initiate follow-up messaging based solely on conversational flow rather than verified opt-in.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The calls listing prints names, phone numbers, and reasons directly to stdout without masking or role checks. In shared terminals, logs, demos, or agent-visible transcripts, this can expose sensitive lead PII and business context to unauthorized viewers.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal