ClawVoice
Security checks across malware telemetry and agentic risk
Overview
ClawVoice is a plausible voice bridge, but its agent mode can keep running and may let specially crafted WebSocket messages reach the local shell on some systems.
Before installing or running this skill, use it only with a trusted local voice server, avoid arbitrary WebSocket URLs, prefer bounded sessions with `--timeout`, and consider patching the agent bridge to use argument-list subprocess execution instead of a shell.
VirusTotal
66/66 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malicious or compromised voice/WebSocket endpoint could potentially turn a message into local shell command execution on affected platforms, rather than only prompting the agent.
Received WebSocket message text is interpolated into a shell command. `shlex.quote` helps on POSIX shells, but shell string construction is unnecessary for this fixed command and is not a robust cross-platform boundary.
cmd = f"openclaw agent --agent main --message {shlex.quote(message)}"
proc = await asyncio.create_subprocess_shell(Replace `create_subprocess_shell` with `create_subprocess_exec` using an argument list, or explicitly restrict and harden supported OS/shell behavior. Until then, use agent mode only with a trusted local endpoint.
If pointed at an untrusted or non-local WebSocket server, that server can see conversation text, receive agent output, and send prompts into the bridge.
The skill exchanges user messages and agent replies over a configurable WebSocket endpoint, with no authentication or origin validation shown in the client.
parser.add_argument("--url", default=DEFAULT_URL, help=f"WebSocket URL (default: {DEFAULT_URL})")
async with session.ws_connect(url) as ws:Use the default trusted local voice server or an authenticated secure endpoint; avoid arbitrary WebSocket URLs for sensitive conversations.
If left running, the bridge can continue accepting voice/WebSocket messages and invoking the main agent.
The long-running agent bridge is disclosed and user-controllable, but its default behavior is unbounded until stopped.
This runs indefinitely by default. Use `--timeout` to limit the session
Run it in a visible terminal, use `--timeout` for bounded sessions, and stop it when the voice session is over.
The skill may rely on pre-existing local packages, and there is limited publisher/source context for trust decisions.
The artifacts are short and no remote installer is shown, but provenance and setup metadata are sparse; the runtime still depends on Python tooling and `aiohttp`.
Source: unknown; Homepage: none; Install specifications: No install spec — this is an instruction-only skill.
Review the bundled client.py before use and ensure `uv`, Python, and `aiohttp` come from trusted local installations.