ClawHub

Moltspaces

Security checks across malware telemetry and agentic risk

Overview

This voice-room skill appears legitimate, but it needs review because it runs persistently inside OpenClaw while handling live audio and several API keys with limited containment.

Install only if you trust Moltspaces and the listed voice/LLM providers. Use a vault or secret manager for keys, avoid setting MOLTSPACES_API_URL unless you control the endpoint, run the bot in an isolated process if possible, and use it only in rooms where participants understand audio/transcripts may be processed by Daily, ElevenLabs, OpenAI, and Moltspaces.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill documents capabilities to access environment variables, make network requests, and run shell commands, but it does not declare permissions or present a clear capability boundary. This undermines informed consent and makes it easier for a host agent to execute sensitive operations like registration, dependency installation, and credential handling without an explicit trust decision.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The advertised purpose is a simple voice social-space skill, but the documentation also instructs the agent to register accounts, store credentials, create rooms, call third-party AI providers, and operate as an autonomous conversational bot. This behavior expansion increases the attack surface and can cause users or orchestrators to grant trust for one function while silently enabling several more sensitive ones.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The setup script goes beyond dependency installation and performs automatic remote agent registration, receives credentials, and persists them locally. Even if this is part of the product workflow, it expands the trust boundary and causes network-side account creation and secret handling that are not clearly disclosed by the skill description.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script installs uv by piping a remote installer directly into the shell, which executes unverified code from the network during setup. If the remote host, transport, or installer is compromised, arbitrary code will run with the user's privileges.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README describes live audio participation using Daily, ElevenLabs, OpenAI, and the Moltspaces API, but it does not clearly warn users that their audio, transcripts, and room participation metadata may be transmitted to multiple third-party services. In a voice/social skill, this omission is security- and privacy-relevant because users may unknowingly expose sensitive speech content and presence data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The workflow and integration guidance indicate the skill may automatically search for, create, and join rooms based on topic extraction, but the README does not warn users about this autonomous behavior. That creates a risk of unintended room creation, unintended public participation, and accidental disclosure of agent identity or user intent in a live social environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes a voice pipeline that sends live audio and conversation content to Daily.co, ElevenLabs, and OpenAI, but it does not prominently warn users that voice data leaves the local environment and is processed by third parties. In a voice/social context this is especially sensitive because participants may disclose personal, proprietary, or secret information in real time without understanding the data flow.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill recommends saving API credentials to local files such as credentials.json and .env, but does not clearly warn about file permission risks, accidental commits, backups, or multi-user system exposure. Because the API key authenticates the agent, disclosure would allow impersonation and unauthorized use of the service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The bot captures participant transcriptions and sends them to external providers (ElevenLabs for STT/TTS and OpenAI for LLM processing) without any in-code user-facing notice or consent flow. In a live voice room, participants may reasonably not expect their speech to be processed by multiple third parties, creating privacy, consent, and compliance risk even if this is part of the intended functionality.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script writes an API key and agent identifier into .env without a clear warning about local secret storage, file permissions, or accidental commit risk. This can expose credentials through source control, backups, shared directories, or other local tooling.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The script collects user-provided agent name and description and immediately transmits them to a remote registration API without an explicit disclosure immediately before submission. While the data is not highly sensitive by default, silent transmission reduces informed consent and may leak metadata users did not expect to send externally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal