Skillv1.0.1

ClawScan security

audioclaw-skills-voice-reply · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 22, 2026, 8:36 AM

Verdict: suspicious
Confidence: high
Model: gpt-5-mini
Summary: The skill's code and runtime instructions require access to Feishu credentials, a SenseAudio API key, and local workspace/session files (and will persist user voice preferences), but the registry metadata declares no required environment variables or secrets — this mismatch and the filesystem access warrant caution.
Guidance: Before installing or enabling this skill, be aware of three practical issues: 1) Undeclared credentials: the code expects a SenseAudio API key (env, default name SENSEAUDIO_API_KEY) and Feishu app_id/app_secret inside a config.json in your AudioClaw workspace; the registry metadata did not declare these. If you do not provide them, runtime errors or unexpected behavior may occur. Only provide secrets you trust this code and its endpoints to use. 2) Local filesystem access & persistence: the scripts read session logs to infer Feishu chat IDs, read/write workspace/state audio files, and persist user voice preferences under your home (~/.codex/...). If you do not want preference data written or session logs scanned, do not enable automatic persistence or remove the default-persisting prompt instruction. 3) Behavior bias in the bundled agent prompt: agents/openai.yaml contains a default prompt that instructs the agent to default future replies to a specific cloned voice_id (vc-yxdCFUKyNLPexxJ66jaXWk). If you do not want the skill to silently make that voice the default for users, remove or edit that prompt before use. Practical steps: - Inspect and, if needed, edit agents/openai.yaml to remove any undesired default voice behavior. - Provide the SenseAudio API key only in a controlled environment and verify which env name you want to use; the picoclaw wrapper accepts --api-key-env to override. - Store Feishu app_id/app_secret in your config.json only if you trust the runtime to upload/send audio on your behalf; alternatively, run the scripts in a sandbox and test with test credentials first. - If you are uncomfortable with the skill scanning session logs or writing to ~/.codex/, modify the scripts (openclaw_voice_switchboard.py / feishu_audio_sender.py / picoclaw wrapper) to require explicit chat-id/session-file and to disable preference persistence. Given the mismatch between declared metadata and actual credential/filesystem needs, proceed only after review or with conservative test credentials in an isolated environment.

Review Dimensions

Purpose & Capability: concernThe skill's stated purpose (AudioClaw voice replies for Feishu/Lark) matches the included code which calls SenseAudio TTS and Feishu upload APIs. However the registry metadata declares no required credentials or env vars while the code clearly expects a SenseAudio API key (default env SENSEAUDIO_API_KEY) and Feishu app_id/app_secret inside a config.json. That undeclared credential demand is incoherent with the published metadata.
Instruction Scope: concernSKILL.md instructs running local scripts (openclaw_voice_switchboard.py / picoclaw wrapper) which read/write workspace files, scan session logs to infer Feishu chat IDs, read config.json for Feishu credentials, and write cached audio and preference files. These actions go beyond 'simply synthesize text' and require reading potentially sensitive local session/state files — the instructions do not declare or warn about that scope.
Install Mechanism: okThere is no install spec (instruction-only with bundled scripts), so nothing is downloaded or installed automatically. The code is shipped in the bundle and executed locally; there is no remote code fetch in the install stage. This is lower install risk but the included scripts will run and perform network I/O.
Credentials: concernThe bundle expects a SenseAudio API key (used as Authorization: Bearer API_KEY in senseaudio_tts_client) and Feishu app_id/app_secret in a config.json; it also references workspace roots, session logs, and a home-pref file (~/.codex/...). Yet the skill's declared requirements list no env vars or credentials. Requiring an API key and channel secrets is reasonable for the stated integration, but failing to declare them is a transparency issue and can surprise users. The agent default prompt also recommends defaulting to a cloned voice_id (vc-...) for future replies, which implicitly causes persistence of a specific credential-like identifier if followed.
Persistence & Privilege: noteThe scripts read and write workspace files and a preferences file under the user's home (~/.codex/senseaudio_openclaw_voice_preferences.json) and can register or set default clone voice ids. always:false (good), but the skill can persist user voice preferences and write into the workspace and home directory. This is within its functionality but is a notable persistence behavior that should be consented to or configured by the operator.