Skillv1.0.0

ClawScan security

telegram-voice-mode · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 6, 2026, 11:07 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it claims (convert replies to TTS and send via the OpenClaw messaging CLI) but contains surprising/coupling elements — notably a hardcoded Telegram target and implicit dependence on another skill's script — that are disproportionate to its stated purpose and could cause unintended messages to be sent.
Guidance: Before installing: inspect and, if needed, remove the hardcoded DEFAULT_TARGET from scripts; ensure you understand which OpenClaw account the 'openclaw' CLI will use (it will send messages using that account) and test in a safe environment to avoid sending audio to external users. Confirm the edge-tts converter exists in the expected path or modify the script to use an explicit, audited TTS implementation. If you don't want automatic sending, require explicit confirmation or remove the auto-send CLI call. If unsure, run these scripts in a sandboxed account or review them line-by-line with someone who understands your OpenClaw messaging configuration.
Findings: [child_process-spawn] expected: The scripts use spawn to run node (to invoke the edge-tts converter) and to invoke the 'openclaw' CLI; this is expected for a local TTS + send workflow. [hardcoded-target-telegram-id] unexpected: scripts/voice-send.js contains a hardcoded DEFAULT_TARGET = '5500262186'. A generic 'voice-mode' skill should not hardcode an external recipient; this could cause unintended messages. [cross-skill-path-reference] unexpected: Both scripts expect an edge-tts converter at ~/.openclaw/workspace/skills/edge-tts/scripts/tts-converter.js. Implicitly relying on another skill's file path is fragile and could be used to trigger or misuse files belonging to other skills.

Review Dimensions

Purpose & Capability: concernName/description claim multi-channel voice replies; code and SKILL.md rely specifically on the OpenClaw CLI and a workspace edge-tts script. The skill hardcodes a default Telegram ID (5500262186) labeled as a specific person, which is not justified by the generic 'voice mode' purpose.
Instruction Scope: concernRuntime instructions and scripts create files under /tmp and copy to ~/.openclaw/workspace/voice.mp3 and then invoke 'openclaw message send' to deliver media. This will cause the agent to send messages using whatever account the OpenClaw CLI is configured with — combined with the hardcoded default target, it can automatically send audio to an external recipient without additional confirmation.
Install Mechanism: okNo remote downloads or install steps; the skill is instruction-only with local JS scripts. Nothing is fetched from unknown URLs or extracted to disk by an installer.
Credentials: concernNo declared env vars or credentials, but the code implicitly requires: (1) the OpenClaw CLI to be installed and authenticated (so the skill can send messages), and (2) an edge-tts script at ~/.openclaw/workspace/skills/edge-tts/scripts/tts-converter.js. These implicit dependencies and the hardcoded Telegram ID are not proportionately justified by the description.
Persistence & Privilege: notealways is false and the skill does not modify other skills' configs. It does, however, write to ~/.openclaw/workspace/voice.mp3 (workspace area) and depends on another skill's files; this cross-skill coupling increases the blast radius if misused but does not itself request elevated platform privileges.