ClawHub

Autonoannounce

Security checks across malware telemetry and agentic risk

Overview

This TTS skill mostly matches its purpose, but it needs Review because parts of its local config can drive file writes and program execution beyond the clearly documented playback paths.

Install only if you trust the publisher and need ElevenLabs-backed local speaker TTS. Keep config/tts-queue.json writable only by trusted users, set playback.backend to a known player such as mpv or ffplay, avoid custom backend names, and prefer keeping earcons.libraryPath under .openclaw. On shared machines, be aware that preflight response files may briefly remain in /tmp.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill declares capabilities in metadata that include environment access, shell execution, and writes to local files, but there is no explicit permissions declaration section communicating those powers to the caller. That creates a transparency and least-privilege problem: users may invoke the skill without understanding it can access secrets like ELEVENLABS_API_KEY, execute local scripts, and persist runtime state on disk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented purpose emphasizes a local queued TTS pipeline, but the skill also exposes broader behaviors such as sound-effect generation, interactive setup that probes devices and plays tones, backend validation, and stress-testing helpers. This mismatch is risky because users may authorize or run the skill expecting narrow TTS behavior while it can perform additional shell-driven diagnostics, playback actions, and network-backed media generation beyond that expectation.

Scope Creep

Medium
Confidence
93% confidence
Finding
The script trusts earcons.libraryPath from config and, if it is relative, resolves it against ROOT without constraining it to approved runtime directories. A crafted or accidental value such as an absolute path or a traversal-like relative path can cause the script to create or overwrite JSON files outside the intended local state area, which is a real arbitrary file write within the privileges of the user running the script.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes raw ElevenLabs API response bodies to predictable files in /tmp, which is a shared location on many multi-user systems. Even if the current logic only consumes HTTP status codes, those response bodies may contain account, subscription, voice, or error details that could be read by other local users or left behind longer than intended.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal