Ningyao Voice Launcher
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: ningyao-voice-launcher Version: 0.1.0 The bundle provides a local voice chat application with a 'safe terminal' feature in `server.js` that is vulnerable to command injection. The `/api/terminal` endpoint uses `cmd /c` to execute commands, and while it employs a whitelist/blacklist, the sanitization for the `type` command is insufficient to prevent all forms of shell metacharacter exploitation. Furthermore, `SKILL.md` instructs the AI agent to perform high-risk administrative tasks, such as executing a PowerShell script (`scripts/install-launcher.ps1`) with `ExecutionPolicy Bypass`. While these features appear intended for a developer utility rather than being explicitly malicious, the combination of RCE vulnerabilities and high-privilege execution instructions warrants a suspicious classification.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted model response or pasted message could execute in the local web page and potentially call same-origin endpoints such as the terminal API.
User and model-provided chat content is inserted into the DOM as HTML instead of text. A malicious or manipulated reply could run browser-side HTML/JavaScript behaviors in the local app.
item.innerHTML = `<span class="role">${role === 'user' ? '你' : '宁姚'}</span><div>${content}</div>`; ... renderMessage('assistant', data.reply);Render messages with textContent or a well-audited sanitizer, and add a restrictive Content Security Policy before enabling the terminal feature.
While the launcher is running, the terminal endpoint may read files outside the launcher folder or behave unexpectedly if reached through the UI, local network, or a browser injection bug.
The advertised restricted terminal allows a user-supplied path through cmd /c with only partial filtering. It does not block absolute paths, quotes, or redirection characters, so it is broader than the stated current-directory safe-file access.
if (lower.startsWith('type ')) { ... if (!target || target.includes('..') || target.includes('&') || target.includes('|')) ... return { ok: true, file: 'cmd', args: ['/c', `type "${target}"`] }; }Remove shell-based file reads, resolve and enforce paths under the launcher directory, reject absolute paths and metacharacters, bind the server to 127.0.0.1, and consider requiring a local session token.
A webpage or document shown on the shared screen could influence the assistant's replies if its content is summarized into the system prompt.
Screen-derived content is appended to a system-role prompt, so text visible on a shared screen can be treated as higher-authority context than ordinary user content.
const screenInstruction = screenSummary ? `以下是你最近一次看到的屏幕摘要,可作为当前上下文参考:${screenSummary}` : ''; ... { role: 'system', content: systemPrompt + ... + screenInstruction }Pass screen summaries as clearly labeled untrusted context, not as system instructions, and tell the model to ignore instructions found inside viewed content.
Conversation history and shared-screen content can leave the local machine and be processed by the configured model provider.
When screen analysis is used, the captured screen image is forwarded to the configured OpenAI-compatible provider for vision processing.
const baseURL = process.env.OPENAI_BASE_URL || 'https://api.openai.com/v1'; ... { type: 'input_image', image_url: image }Use only a trusted API endpoint, avoid sharing sensitive screens, and make the UI clearly warn users before sending screen images to the provider.
Users must provide a provider API key that can incur cost and authorize model calls from the local server.
The skill requires an OpenAI-compatible API key even though registry metadata declares no required env vars or primary credential. This is purpose-aligned but under-declared.
Set these in `.env`: - `OPENAI_API_KEY`: required
Declare the credential in metadata, use a limited-scope or low-quota key where possible, and never commit the .env file.
The documented one-click install path may fail, or users may be tempted to fetch or create missing scripts outside the reviewed package.
The instructions reference installer and launcher files that are not present in the supplied file manifest, creating a package-coherence and provenance gap.
Run: powershell -ExecutionPolicy Bypass -File scripts/install-launcher.ps1 ... Start with `start-voice-chat.cmd` or `start-voice-chat-bg.cmd`.
Ship the referenced scripts and .env example in the package, or update the documentation to remove them. Avoid ExecutionPolicy Bypass unless the exact script is included and reviewed.