Skillv1.0.6

ClawScan security

hotbutter voice chat · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 26, 2026, 7:17 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's code, instructions, and requirements are internally consistent: it connects to the hosted relay (hotbutter.ai), runs the local openclaw CLI for each voice turn, and forwards transcripts/responses through the relay as described.
Guidance: This skill intentionally routes transcribed speech and the agent's stdout through the hosted relay at wss://hotbutter.ai; that behavior is explicit in SKILL.md and the code. Only install/run it if you are comfortable that agent output may pass through that server. If you need privacy, use the documented --relay-url option to point to a relay you control or use the fully-local hotbutter-os project. Be cautious about following the index.html curl | tar example — that would download code from hotbutter.ai; verify the source before running. Finally, audit what your local 'openclaw' agent prints (it may include secrets), and avoid running agents that output sensitive data while this bridge is active.

Purpose & Capability: okName/description claim a hosted relay voice bridge. The package only requires the local 'openclaw' CLI and includes code that opens a WebSocket to a relay and invokes 'openclaw agent' — these are exactly what the feature needs.
Instruction Scope: okSKILL.md and the JS code consistently state that transcribed speech and agent stdout are sent via the relay. The runtime does not read unrelated files or environment variables; it only stores a small config at ~/.hotbutter and prompts for an optional email. The agent invocation uses execFile (no shell) and captures stdout as the message to relay.
Install Mechanism: noteThere is no formal install spec in the registry (lowest-risk), but index.html contains an example curl | tar command that would download code from hotbutter.ai. That external download is outside the registry install metadata — if users follow it they should verify the remote host. The packaged code itself has no obfuscated downloads.
Credentials: okThe skill requests no environment variables or external credentials and only writes a local config (~/.hotbutter). That matches its functionality. No unrelated credentials or config paths are requested.
Persistence & Privilege: okalways:false and user-invocable:true. The skill only stores an optional email locally and does not alter other skills or system-wide agent settings.