Back to skill

Security audit

senseaudio-let-claw-talk

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it runs a macOS always-listening voice assistant using SenseAudio, with expected microphone, network, local state, and optional voiceprint features.

Install only if you are comfortable with a long-running microphone assistant that sends captured speech to SenseAudio for transcription and may store preferences and optional voiceprint data locally. Review SenseAudio’s data handling terms, keep WeSpeaker disabled unless you need speaker filtering, and know how to stop the Terminal session or clear stored profiles.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"--message",
        prompt,
    ]
    completed = subprocess.run(command, capture_output=True, text=True, check=False)
    if completed.returncode != 0:
        return None
    payload = extract_json_object(extract_agent_reply(completed.stdout) or completed.stdout)
Confidence
89% confidence
Finding
completed = subprocess.run(command, capture_output=True, text=True, check=False)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
last_error = "audioclaw agent failed"

    for attempt in range(1, max(1, args.agent_retries) + 1):
        completed = subprocess.run(command, capture_output=True, text=True, check=False)
        if completed.returncode == 0:
            reply = extract_agent_reply(completed.stdout)
            if reply:
Confidence
92% confidence
Finding
completed = subprocess.run(command, capture_output=True, text=True, check=False)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no explicit permissions, yet its documented behavior clearly uses sensitive capabilities: shell execution, network access, reading credentials, and reading/writing state files. This creates a permission-transparency gap where a user or host system may not understand the real trust boundary before invoking a long-lived microphone assistant.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill description frames WeSpeaker as optional, but the script exposes conversational commands to enroll voice samples, enable speaker filtering, and operate a background service as first-class features. That mismatch matters because users may not expect biometric processing and local access control behavior to be available through casual speech commands in a continuously listening assistant.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This skill is designed for always-on microphone listening and sends user speech to external SenseAudio services for ASR/TTS, but the description does not prominently warn users about continuous capture, remote processing, or retention/privacy implications. In context, this is more dangerous because the skill is specifically marketed as a persistent desktop voice assistant, increasing the chance of capturing unintended or sensitive conversations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation exposes voice cloning and voiceprint enrollment actions without any warning about biometric collection, consent, retention, or impersonation risks. In a continuously listening local voice assistant, this increases the chance that users enable sensitive biometric features without understanding that cloned voices and enrolled voiceprints are privacy-sensitive and can be abused for tracking, spoofing, or unauthorized profile creation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code uploads raw audio content to a third-party ASR service, but this file contains no consent, disclosure, or gating mechanism before transmitting potentially sensitive microphone recordings. In the context of a continuous-listening desktop assistant, that raises the privacy risk substantially because captured speech may include confidential or unintended background conversations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The /clear_profile endpoint deletes stored profile files immediately with no authentication, authorization, or confirmation step. Although the service binds to 127.0.0.1 by default, any local process can invoke it, allowing accidental or malicious deletion of enrolled voice profiles and denial of service for speaker verification.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script records microphone input directly to a caller-specified file path and emits only machine-readable JSON after capture, with no explicit user-facing disclosure at runtime that audio is being saved to disk. In the context of a skill explicitly designed for continuous listening on macOS, this increases privacy risk because users may not understand when recording starts, where audio is stored, or how long it persists, enabling accidental collection of sensitive speech.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The enrollment flow records and submits the user's voice for WeSpeaker profile creation, which is biometric data processing. The code provides convenience prompts but no meaningful disclosure about storage location, retention, transmission to the background service, or the sensitivity of voiceprints, creating a real privacy and consent problem.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.