ClawHub

Transcrição e respostas em áudio em PTBR, Português Brasil - Brazillian portuguese transcription and audio answers

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its local Portuguese voice-reply purpose, but its published command trigger is malformed and could expose shell-command injection depending on how OpenClaw expands command arguments.

Review this before installing in any environment where other users can send /voz commands. The core voice pipeline appears coherent, but the trigger should be fixed to pass arguments as structured argv values or with robust escaping before public use. Leave ANTHROPIC_API_KEY unset if transcripts should stay local, and only use a trusted WORKSPACE because the skill runs the Piper binary from there.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Tainted flow: 'piper_bin' from os.environ.get (line 41, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
path.unlink()

    try:
        subprocess.run(
            [str(piper_bin), "--model", str(model_path), "--output_file", str(wav_path)],
            input=text.encode("utf-8"),
            capture_output=True,
Confidence
81% confidence
Finding
subprocess.run( [str(piper_bin), "--model", str(model_path), "--output_file", str(wav_path)], input=text.encode("utf-8"), capture_output=True, t

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The trigger action embeds `{{args}}` inside malformed nested quotes, so the platform may not pass arguments as a single safely quoted value. If an attacker can control `/voz` arguments and the trigger engine builds a shell command string from this template, shell metacharacters or broken quoting could alter command execution, making this a command-injection risk at the integration boundary.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The script uses predictable filenames in the global temporary directory and unlinks any existing files before writing new output. In a multi-user or adversarial local environment, this can enable symlink or file-clobbering issues, causing unintended deletion or overwrite of files accessible to the process.

Ssd 3

Medium
Confidence
90% confidence
Finding
When both providers fail, the fallback response reflects up to 80 characters of the user's transcript back into output. If the transcript contains sensitive content such as credentials, personal data, or private speech, this behavior can unnecessarily disclose that information to logs, downstream systems, or unintended viewers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal