ClawHub

Xiaozhi Mcp Openclaw Official

Security checks across malware telemetry and agentic risk

Overview

This is a real XiaoZhi-to-OpenAI bridge, but it needs review because it can forward voice/tool traffic and secrets through external services with broad scope and limited privacy controls.

Install only if you intentionally want XiaoZhi queries and MCP tool traffic sent to external services. Before running it, set MCP_ENDPOINT, OPENAI_BASE, and OPENAI_KEY explicitly, use a backend you trust, avoid sharing logs because the MCP endpoint may contain a token, and do not route sensitive voice content through this bridge unless you accept the configured provider's handling of that data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes capabilities that use environment variables, network access, and shell execution, but it does not declare permissions or boundaries for those capabilities. This increases the risk of over-privileged deployment, weak review visibility, and accidental exposure of secrets or external connectivity beyond what operators expect.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The bridge will execute any local Python script supplied on the command line, while the skill description presents it as a bridge for a specific XiaoZhi/OpenClaw integration. That mismatch expands the trust boundary: once connected, a remote endpoint can exchange data with whatever local script the operator launched, enabling unintended capability exposure or data exfiltration through an arbitrary MCP implementation.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly documents that user text is forwarded to an external OpenAI/OpenAI-compatible backend, but it does not clearly disclose the privacy, retention, or third-party processing implications of sending potentially sensitive voice/text content off-device. In a voice-assistant bridge context, users may unknowingly expose personal or confidential data, making the omission a real security/privacy weakness even if it appears to be documentation-level rather than code-level.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The tool trigger condition includes vague language such as calling the external tool whenever 'external capability is needed,' which gives the model broad discretion to send user content to a remote backend. Ambiguous activation increases the chance of unnecessary data transfer, unexpected tool use, and prompt-manipulation-induced exfiltration of sensitive conversation content.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The English guidance repeats the same ambiguous condition for invoking the external query tool, which can cause inconsistent or over-broad tool activation across languages. Because this skill bridges to an external service, vague invocation logic materially increases privacy and unintended-action risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description says it connects XiaoZhi to an OpenAI/OpenAI-compatible backend, but it does not clearly warn that user messages may be transmitted to an external service for processing. This weakens informed consent and can lead to privacy violations, especially because the tool is intended for external capability, reasoning, and network-assisted queries.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
All stdin/stdout traffic of the local MCP subprocess is forwarded to a remote WebSocket endpoint, but the user is not clearly warned that tool inputs, outputs, and possibly sensitive data handled by the subprocess will leave the local machine. In this skill context, the bridge is specifically designed to connect a local MCP tool to an external service, so silent data forwarding materially increases privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The tool forwards the full user-provided message to an external backend, but the code contains no user-facing disclosure, consent, or minimization. In an MCP/tooling context, this can expose sensitive prompts or personal data to a third-party service without the user's awareness, which raises privacy and trust concerns.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal