Back to skill

Security audit

discord voice memo upgrade

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real manual Clawdbot TTS patch, but it should be reviewed because it overwrites core bot files and currently logs private message snippets and credential fragments.

Install only after reviewing the patch against your exact Clawdbot version. Apply it first in a non-production bot, keep the backups, and remove or gate all TTS debug console logs before handling real user messages. Also confirm your Clawdbot version has current security fixes and that sending reply text to any configured TTS provider is acceptable for your users.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The manifest declares the skill as "type": "documentation" while the description and keywords present it as a functional "core patch" that changes Discord bot behavior. This metadata mismatch can bypass user expectations, review workflows, or installation restrictions that treat documentation as lower risk, making the package misleading and potentially dangerous even without code shown in this file.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The patch documentation instructs operators to enable verbose console logging that includes message body content, media metadata, provider selection, and a partially revealed API key prefix. In a production or shared-log environment, these examples can normalize unsafe logging practices and lead to accidental disclosure of secrets and sensitive user content to log aggregators, support staff, or other tenants.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to directly overwrite installed core application files under the global Node.js package path, which is a risky and security-relevant modification pattern. Even though the content appears aimed at fixing functionality rather than overt compromise, encouraging ad hoc replacement of compiled dist files bypasses normal package integrity, update, review, and rollback controls and can lead users to install unverified code into a privileged runtime environment.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code logs inbound message metadata and the first 80 characters of `ctx.Body` directly to `console.log` in a TTS debug statement. This can expose sensitive user content, personal data, or secrets to logs and observability systems without sanitization, access controls, or explicit user disclosure, increasing the risk of data leakage during normal operation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code logs TTS provider details including whether an API key is set and even a prefix of the ElevenLabs key via `slice(0, 8)`. Exposing credential fragments and sensitive configuration in logs increases the risk of secret leakage through log aggregation systems, crash reports, support bundles, or shared consoles.

Known Vulnerable Dependency: clawdbot==1.0.0 — 10 advisory(ies): CVE-2026-26317 (OpenClaw affected by cross-site request forgery (CSRF) through loopback browser ); GHSA-chm2-m3w2-wcxm (OpenClaw Google Chat spoofing access with allowlist authorized mutable email pri); CVE-2026-26328 (OpenClaw iMessage group allowlist authorization inherited DM pairing-store ident) +7 more

High
Category
Supply Chain
Confidence
95% confidence
Finding
clawdbot==1.0.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.exposed_secret_literal

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
patch/tts.js:144

File appears to expose a hardcoded API secret or token.

Critical
Code
suspicious.exposed_secret_literal
Location
patch/tts.js:894