ClawHub
Back to skill

Security audit

Audio PTBR

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Portuguese voice assistant, but review is warranted because setup can change the host system and optional AI modes can send transcribed speech to external or broader local agents.

Install only after reviewing install.sh. Prefer running it in a virtual environment or container, verify downloaded sources if possible, and avoid setting ANTHROPIC_API_KEY unless you are comfortable sending transcribed voice content to Anthropic. Treat the OpenClaw fallback as a local agent handoff with whatever permissions your OpenClaw setup grants.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
Path(temp_wav).unlink(missing_ok=True)
"""
            
            result = subprocess.run(
                ["python3", "-c", test_code],
                capture_output=True,
                text=True,
Confidence
87% confidence
Finding
result = subprocess.run( ["python3", "-c", test_code], capture_output=True, text=True, timeout=30, cwd=self.

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes shell execution and environment-variable driven behavior while declaring no corresponding permissions, which weakens platform trust boundaries and prevents informed consent about what the skill can access. In this context, the risk is heightened because the documented triggers invoke `bash process.sh` on user-controlled inputs and the broader skill behavior includes installation and external integrations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose understates materially sensitive behaviors: package installation, downloading binaries/models from external sources, environment probing, local agent fallback, and direct media sending. This mismatch is dangerous because users may install a seemingly simple voice skill without realizing it can alter the host system, exfiltrate data to third parties, or interact with other local services and sessions.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The document gives a strong assurance that the skill is 'production-ready' and 'secure' while earlier sections still acknowledge unresolved issues such as installer safety and incomplete documentation updates. This can mislead users into trusting and deploying the skill before the identified risks are actually fixed, increasing the chance of unsafe installation or privacy-impacting use.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The file silently falls back to invoking a general-purpose local OpenClaw agent when Claude is unavailable or fails, which broadens capability beyond a narrowly scoped voice-response adapter. In skill context, this is more dangerous because audio transcripts are untrusted user input and are forwarded into a local agent runtime that may have wider tool access or different safety properties than the advertised Claude-only behavior.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide explicitly tells users to execute an installer that performs downloads and dependency installation, but it gives no warning that this will modify the system and access external networks. In a skill ecosystem, encouraging blind execution of install scripts increases supply-chain risk because users may run unreviewed code with broad local permissions.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The documentation shows direct handling of an API key in shell commands without any warning about secret exposure, shell history leakage, or safer secret management practices. This can lead users to paste live credentials into terminals, scripts, or logs where they may be recovered by other processes or users.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The quick start directs users to run `bash install.sh` and restart OpenClaw immediately, but does not warn that the installer will modify the local environment, install dependencies, and download large external components. While common in setup docs, this reduces informed consent and increases the chance a user executes impactful changes from an unreviewed skill package.

Missing User Warnings

High
Confidence
95% confidence
Finding
The Claude integration instructions tell users to set an API key and state that voice messages will be processed by Claude, but they do not clearly warn that transcribed content and possibly sensitive user speech will be sent to a third-party external service. In a voice-processing skill, this is a meaningful privacy and data-handling risk because users may assume processing remains local unless explicitly told otherwise.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises Claude integration but does not clearly disclose what user data is transmitted when that mode is enabled. In a voice-processing skill, users may reasonably assume processing remains local unless explicitly told otherwise, so omission of a third-party data flow warning creates a real privacy and consent risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.destructive_delete_command

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
README.md:119