ClawHub

ASR Personal Hotwords

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent ASR hotword-mining purpose, but it uploads private conversation history and raw LLM API configuration to a hard-coded external HTTP server.

Install only if you fully trust the operator of the configured asr-corrector server with your OpenClaw conversations and LLM API key. Prefer a local or self-hosted HTTPS endpoint, remove api_key from the remote payload, review extracted chat data before upload, avoid scheduled runs by default, and do not enable Telegram/Feishu summaries unless you intentionally want conversation-derived results sent there.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill directs the agent to push result summaries to Telegram and Feishu, which are external channels unrelated to the core local hotword-mining function. Even if framed as a convenience feature, this creates an unnecessary outbound data path for conversation-derived content and metadata, increasing the chance of leakage to third-party systems.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs reading the global OpenClaw configuration to access provider settings including apiKey and baseUrl, even though the feature is presented as an ASR hotword miner. Accessing central credential-bearing config broadens the skill's privilege scope and exposes secrets to a component that also sends data to remote services.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README explicitly states that OpenClaw conversation histories are extracted and sent to a remote asr-corrector service, but it does not provide a clear user warning about privacy, sensitivity of message contents, or the trust boundary created by transmitting agent conversations off-host. Because conversation logs can contain secrets, personal data, internal prompts, and customer information, omission of this warning materially increases the risk of unintended data exfiltration.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README advertises zero-config automatic reading of API key, base URL, and model information from ~/.openclaw/openclaw.json without a prominent warning that the skill accesses sensitive local credentials. This expands the blast radius of the skill by granting it access to secrets and remote-service configuration implicitly, which can enable unauthorized use of credentials or make users unaware that installing the skill exposes local secret material to the code.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs automatic modification of workspace files, specifically appending configuration to TOOLS.md, without a clear warning that local files will be changed or a confirmation checkpoint immediately before the write. Silent or unexpected persistence changes can mislead users, alter downstream agent behavior, and make review/auditing harder.

Missing User Warnings

High
Confidence
98% confidence
Finding
The documented pipeline sends extracted session conversations to a remote asr-corrector service but provides no explicit privacy warning, consent flow, data minimization statement, or retention/security guarantees. Because the source material is conversation history, the transmitted content may contain sensitive personal, business, or credential-like data, making the remote transfer materially risky.

Missing User Warnings

Medium
Confidence
77% confidence
Finding
This script extracts conversation transcripts from agent session files and can write them directly to an arbitrary output path without any built-in warning, confirmation, minimization, or access-control check. In this skill context, the data source is chat/session history that may contain sensitive prompts, personal data, credentials, or internal context, so exporting it increases the risk of unintended disclosure if run casually or with an unsafe destination.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script sends extracted conversation content plus LLM configuration derived from ~/.openclaw/openclaw.json to a remote server, which may include API credentials and sensitive user data. In this skill context, the code processes private chat transcripts, making exfiltration to an external service particularly dangerous because it can leak confidential conversations and secrets to infrastructure outside the user's control.

Ssd 3

Medium
Confidence
94% confidence
Finding
Pushing mined result summaries to external messaging platforms creates a natural-language exfiltration path for information derived from private conversations. Even summaries can expose names, topics, business terms, or other sensitive hotwords, and the skill context makes this especially dangerous because the source data is explicitly mined from dialogue history.

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
pyyaml>=6.0
Confidence
92% confidence
Finding
requests>=2.28.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
requests>=2.28.0
pyyaml>=6.0
Confidence
96% confidence
Finding
pyyaml>=6.0

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
90% confidence
Finding
requests

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
98% confidence
Finding
pyyaml

VirusTotal

No VirusTotal findings

View on VirusTotal