ClawHub

discord voice memo upgrade

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Clawdbot TTS patch, but it should be reviewed because it overwrites core bot files and ships debug logs that can expose message text and key fragments.

Install only after reviewing the patch against your Clawdbot version. Apply it first in a non-production bot, keep backups, and remove or gate all TTS debug console logs before using it with real users. Avoid remote TTS providers for sensitive conversations unless sending that text to the provider is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The documented patch adds console logging that records sensitive runtime data, including message body content, media metadata, and a partial API key prefix. Even partial secret disclosure and user-content logging can leak private data into centralized logs, support bundles, or shared hosting environments, creating avoidable exposure of secrets and user communications.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The manifest declares the skill type as "documentation" while the description and keywords present it as a functional core patch that changes Discord/TTS behavior. This mismatch can bypass or weaken review, installation, or permission expectations by causing a capability-bearing plugin to be treated as inert content, increasing the risk of unsafe deployment.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The code emits a debug log containing inbound message body content, media type information, and TTS decision state directly to console. Message bodies may contain sensitive user data, and console/stdout is commonly collected by process managers, centralized logging systems, or cloud observability platforms, turning transient user input into retained sensitive telemetry without access controls or redaction.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The patch documentation instructs operators to test by inspecting logs that include inbound message content and media context, but it does not prominently warn that these logs may contain sensitive user data. In the context of a messaging bot with TTS and voice inputs, this increases the likelihood of privacy violations because operators may enable and retain verbose logging in real environments without understanding the exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to overwrite compiled files inside a globally installed bot package and restart the live bot, which is a risky operational practice. This can bypass normal update, integrity, and deployment controls, make rollback/error handling brittle, and increase the chance of service disruption or accidental introduction of unsafe code into a production bot.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document instructs users to apply a manual core patch directly to compiled dist files, but it does not warn about backup, rollback, integrity, or compatibility risks. Direct modification of core runtime files can break the installation, bypass normal package trust/update mechanisms, and make recovery difficult if the patch is wrong or later overwritten.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This statement logs raw inbound message content via `(ctx.Body ?? '').slice(0, 80)` along with associated metadata, which can expose private conversations, credentials, tokens, or personal data to anyone with log access. Because the log is unconditional and not protected by diagnostics checks, the leak occurs during normal execution rather than only during controlled troubleshooting.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code automatically applies TTS to payload text and forwards content to external TTS providers via textToSpeech() based on configuration and preferences, but there is no clear user-facing consent or disclosure mechanism at this call site. Because this can process arbitrary message text, sensitive or private content may be transmitted off-box unexpectedly when TTS auto-mode is enabled.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The OpenAI TTS path sends raw text to a remote endpoint using fetch() with no built-in disclosure, consent check, or data-minimization at the transmission point. If used on conversational or user-supplied content, this can expose sensitive text to a third party and to any custom endpoint configured through OPENAI_TTS_BASE_URL.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal