WebChat Voice Full Stack
PassAudited by ClawScan on May 1, 2026.
Overview
The artifacts show a transparent, user-run meta-installer for local WebChat voice input, with disclosed downstream script execution, local UI/gateway changes, and user-level persistent services.
Install only if you want persistent local WebChat voice support. Before running deploy.sh, install and review the three sub-skills, run rehash.sh after that review, verify the chosen host/port/origin, and keep the uninstall steps available.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Deployment includes code from other installed skills, not just the files in this package.
The meta-installer runs deployment scripts from three separately installed skills, so those sub-skill versions and scripts are part of the trust boundary.
BACKEND="$SKILLS_DIR/faster-whisper-local-service/scripts/deploy.sh" ... bash "$BACKEND" ... bash "$PROXY" ... bash "$GUI"
Review the three sub-skills' scripts, then run rehash.sh to record trusted checksums before deployment.
WebChat will load an added voice UI script and trust an added HTTPS origin.
The installer intentionally changes the WebChat UI and gateway configuration. This is expected for the voice feature, but it is still a meaningful local application modification.
UI enablement: injects one explicit `<script>` tag for `voice-input.js` in Control UI ... Gateway compatibility: appends one HTTPS origin to `gateway.controlUi.allowedOrigins`
Confirm the configured host/origin is trusted and review the downstream voice GUI and proxy scripts before enabling them.
Voice and WebChat traffic may pass through the local HTTPS/WSS proxy, so host, port, TLS, and auth settings matter.
The skill adds a proxy and gateway origin for WebChat and transcription traffic, changing the local communication boundary.
`webchat-https-proxy` - Starts HTTPS/WSS proxy on `:8443` - Adds gateway allowed origin
Keep the proxy bound to trusted interfaces and verify the proxy sub-skill's TLS/auth behavior before use.
The transcription backend and proxy can keep running until the user disables or uninstalls them.
The skill creates services that continue running after deployment and reboot, but this persistence is disclosed and purpose-aligned.
Persistence: creates user-level systemd services so STT/proxy survive reboot (`openclaw-transcribe`, `openclaw-voice-https`)
Use the provided status and uninstall steps, or systemctl --user, to verify and disable the services when no longer needed.