ClawVoice
WarnAudited by ClawScan on May 10, 2026.
Overview
ClawVoice fits its voice-bridge purpose, but its agent mode can run indefinitely and feeds WebSocket messages into the main agent through a shell command that needs safer boundaries.
Use this only with a trusted local voice server. Avoid non-local WebSocket URLs unless you trust the endpoint, run agent mode with a timeout, and ask the publisher to replace shell execution with safe argument-list subprocess calls and to declare dependencies.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted or untrusted voice/WebSocket message could be interpreted unsafely by the shell in some environments, potentially causing unintended local command execution or unintended main-agent invocation.
The agent mode takes received message content, builds a shell command string, and executes it. shlex.quote helps in POSIX shells, but safer argument-list execution is not used and the skill has no OS restriction.
cmd = f"openclaw agent --agent main --message {shlex.quote(message)}"
proc = await asyncio.create_subprocess_shell(Replace create_subprocess_shell with create_subprocess_exec using an argument list, avoid shell parsing entirely, and restrict/test OS behavior if shell quoting is required.
If the client is pointed at an untrusted or impersonated voice server, that endpoint could drive the main agent and receive responses or sensitive transcript content.
The client trusts the configured WebSocket, turns received messages into main-agent prompts, and returns the agent's stdout to that WebSocket; the artifacts do not show authentication, origin validation, or permission boundaries.
async with session.ws_connect(url) as ws:
... reply = await run_agent(user_text)
... await ws.send_json({"type": "message", "content": reply})Use only a trusted local voice server, add authentication/session binding, restrict or warn on non-local --url values, and consider requiring explicit user approval before entering bridge mode.
The bridge may continue processing spoken/WebSocket messages longer than intended if started without a timeout.
The agent bridge is explicitly documented as an indefinite loop unless a timeout is supplied.
This runs indefinitely by default. Use `--timeout` to limit the session:
Prefer running agent mode with a clear --timeout and stop it when the voice session is complete.
The skill may fail or depend on packages already present in the environment, making reproducibility and dependency review weaker.
The package declares no install requirements, while the artifacts rely on runtime tools and libraries such as uv, aiohttp, and openclaw.
Required binaries (all must exist): none ... Install specifications: No install spec — this is an instruction-only skill.
Declare required binaries and Python dependencies, or provide a pinned install/lock specification.