ClawHub

Local Tts Workflow

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill helps debug local or self-hosted text-to-speech workflows, with expected but sensitive voice-consent handling that users should manage carefully.

Install only if you intend to let an agent debug your OpenClaw TTS setup. Treat voice recordings and transcripts as sensitive personal data: use trusted local or owned servers, get consent before uploading voices, and understand how stored recordings and metadata can be access-controlled and deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill instructs users to upload and store voice-consent material and emphasizes persistence of both reference audio and reference text, but it provides no privacy, retention, access-control, or consent-handling safeguards. Because voice recordings and transcripts are sensitive biometric/personal data, normalizing their storage without warnings or constraints can lead to unnecessary retention, unauthorized reuse, or privacy violations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly describes persistent storage of uploaded voice consent recordings and metadata, including absolute filesystem paths, but does not mention retention limits, access controls, deletion procedures, or privacy implications. Because these uploads are biometric voice samples and associated metadata, retaining them indefinitely or exposing their storage locations increases privacy, data protection, and unauthorized access risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal