ClawHub

Openclaw Feishu Optimizer

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Feishu voice transcription helper, but users should understand that audio may be sent to Google for recognition.

Install only if you are comfortable using Google Speech Recognition for voice transcription. Avoid processing sensitive or regulated audio unless you have user/admin consent, and consider pinning or reviewing the Python dependencies before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill advertises automatic voice recognition and explicitly references Google Speech Recognition, which implies audio content may be transmitted to an external service. The documentation does not provide a clear privacy warning, consent mechanism, or data-handling disclosure, so users may unknowingly send potentially sensitive voice data off-platform.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The configuration hard-codes zh-CN as the default language/locale and enables automatic voice recognition without a clear opt-in flow. While not inherently malicious, this can cause unintended processing behavior, mis-handle user content, and apply locale-specific assumptions to users who did not choose them.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script sends audio content to Google's speech recognition service without an explicit privacy warning or affirmative user consent at the point of transmission. Audio may contain sensitive conversations, credentials, or personal data, so silent transmission to a third-party cloud service creates a real confidentiality risk, especially in an agent-skill context where users may assume local processing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal