ClawHub
Back to skill

Security audit

ASR Hotwords

Security checks across malware telemetry and agentic risk

Overview

This ASR hotword skill has a coherent purpose, but it needs Review because it broadly processes private conversation history and automatically triggers a downstream DMWork update without clear per-run user approval.

Install only if you are comfortable with this skill scanning OpenClaw conversation histories, using your configured LLM credentials/provider, storing accumulated hotwords, and updating DMWork voice context. Before running it, narrow config.yaml to specific agents or dates, review hotwords.md before injection, avoid the background install test unless intended, and use scoped provider credentials where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
})

        try:
            result = subprocess.run(
                ["openclaw", "gateway", "call", "agent", "--params", params, "--json"],
                capture_output=True, text=True, timeout=30,
            )
Confidence
95% confidence
Finding
result = subprocess.run( ["openclaw", "gateway", "call", "agent", "--params", params, "--json"], capture_output=True, text=True, timeout=30, )

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill goes beyond mining hotwords and instructs the agent to push derived data into an external DMWork voice-context system. That expands the trust boundary and creates an unintended cross-system data flow, which can propagate sensitive or inappropriate terms extracted from conversations into another operational context.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The module docstring describes a local extract/build/export workflow, but the implementation also performs an external agent notification that can modify DMWork state. This mismatch reduces user awareness and informed consent, making the behavior materially more dangerous because operators may run it expecting only local processing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly states that the skill mines conversation histories from all OpenClaw agent sessions and uses configured LLM credentials, but it does not present any prominent privacy warning, consent flow, or scope limitation. In this context, the skill processes highly sensitive user/assistant content at broad scope, creating a real privacy and credential-access risk even if the stated goal is functional rather than malicious.

Missing User Warnings

Low
Confidence
87% confidence
Finding
Automatically resolving API key, base URL, and model from ~/.openclaw/openclaw.json without a clear warning is a real security concern because it normalizes silent access to sensitive local credentials. Even if the code only reuses existing configuration, the documentation encourages a pattern where users may not realize the skill will read privileged settings from their home directory.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states it mines conversation records from all agents, but it does not present a clear privacy warning or consent boundary before processing potentially sensitive chat content. Users may not understand the scope of collection, retention, and downstream use of mined terms, increasing risk of unintended disclosure.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The installation and migration steps modify files under user directories, merge prior data, and create marker files without a clear warning about those side effects. That can surprise users, overwrite expectations about data location, and expand exposure of previously collected artifacts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The pipeline sends sampled chat history and suspicious message content to a third-party LLM for cleaning and refinement, but the script does not provide any explicit user-facing notice, consent step, or data-minimization control before transmitting potentially sensitive personal conversations off-host. In this context, the processed data is chat content by design, so undisclosed external transmission materially increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
During validation, the script sends the user's personalized vocabulary plus corrupted message text to the LLM, again without an explicit disclosure or opt-in mechanism. Even though the validation data is synthetic in part, it is derived from real user messages and vocabulary, which can still reveal private names, organizations, products, and communication patterns to an external service.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script automatically reads API credentials and endpoint details from the user's home configuration without explicit disclosure or consent at runtime. In a skill context, silent credential consumption is risky because it can cause users to unknowingly authorize remote model access and data processing with their existing secrets.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The function reads generated hotword content and sends an instruction-bearing message to an external agent subprocess without clear user disclosure. Because the content and command are forwarded to another privileged automation layer, this creates a real risk of unauthorized data propagation and state changes beyond the local script.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The embedded natural-language instruction explicitly tells the receiving agent to act without notifying the user. That is a strong indicator of intent to bypass user awareness and safety controls, and it increases the chance that privileged actions will be executed silently based on unreviewed content.

Ssd 3

Medium
Confidence
94% confidence
Finding
The README describes extracting all OpenClaw conversation histories and performing LLM-based mining over that content, which creates a direct data exposure path for user-provided session data. This is especially risky because conversation logs commonly contain secrets, personal data, internal business information, and operational context that users would not expect to be aggregated across all agents.

Ssd 3

Medium
Confidence
90% confidence
Finding
Scanning all agent sessions and exporting a unified hotword table aggregates potentially sensitive terms derived from private conversations into a durable artifact. Even if raw transcripts are not exported, the resulting vocabulary can still leak names, project codewords, customer identifiers, or other confidential terminology across session boundaries.

Ssd 3

High
Confidence
97% confidence
Finding
The extraction section plainly instructs pulling user/assistant message pairs from all agents' session files and outputting message content line by line, which is a direct transcript exfiltration pattern. In skill context, this is more dangerous because the source is comprehensive session history under ~/.openclaw/agents, so the operation can centralize large volumes of sensitive conversational data with minimal user friction.

Ssd 3

Medium
Confidence
94% confidence
Finding
Mining all agents' conversation records and retaining accumulated historical vocabularies creates a broad data-collection and retention pipeline for natural-language content. Even if only keywords are output, the extracted vocabulary may still contain sensitive names, secrets, medical terms, or business context that should not be centrally aggregated.

Ssd 3

Medium
Confidence
92% confidence
Finding
Reading the generated hotwords file and injecting its full contents into another system propagates derived conversation data beyond the original environment. This increases the chance that sensitive or manipulative terms become embedded in a downstream voice context, broadening both exposure and impact.

Ssd 1

High
Confidence
99% confidence
Finding
The message is crafted as an automation command directing another agent to perform privileged DMWork operations and then verify them, all without user involvement. In the context of an agent skill, this is dangerous prompt/instruction injection across trust boundaries and can coerce downstream tools into making unauthorized changes.

Ssd 4

High
Confidence
98% confidence
Finding
The step-by-step wording establishes legitimacy ('automatic task') and escalates into privileged update and verification actions, which is a classic social-engineering pattern aimed at increasing compliance by the receiving agent. This is especially dangerous here because the target operation changes voice context in another system and attempts to validate success silently.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal