Skillv1.1.0

ClawScan security

Bidirectional Voice Chat System · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 2, 2026, 6:00 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's files and dependencies broadly match a local voice-chat bridge, but the runtime instructions reference missing scripts and include steps that could expose recorded audio publicly (via tunnels) and suppress server logs — review missing files, public-tunnel usage, and telemetry before installing.
Guidance: What to check before installing or running this skill: - Missing scripts: SKILL.md references hotkey_recorder.py, voice_chat_loop.py, chat.py and other runtime components that are not included. Ask the author for the missing files or disable features that call them. Running instructions that reference absent scripts will fail or be misleading. - Public exposure risk: If you enable 'ngrok' / 'cloudflared' modes or set a real domain, generated voice files under ~/.openclaw/workspace/voice_output will become reachable from the Internet. The bundled HTTP server suppresses access logs, so traffic may not be visible locally. Only expose this if you understand who can access the URLs and you are comfortable with voice data being public. - Credentials and tokens: The skill metadata does not declare any credentials, but ngrok/cloudflared require auth tokens (and Cloudflare Tunnel may require zone credentials). Manage those tokens carefully; do not paste them into untrusted code. The skill does not automatically upload data to any remote service in the provided code, but Edge TTS (edge-tts CLI) likely uses an online service — check its privacy policy. - Telemetry / monitoring: daily_monitor.py writes local reports and runs a local test that invokes generate_voice.py. It does not appear to exfiltrate telemetry, but the code refers to ClawHub stats ('需手动从 ClawHub 获取') without automated upload. If you are uncomfortable with local reports under ~/.openclaw/workspace/memory, inspect or remove that script. - Run in a sandbox first: Execute the scripts in a controlled environment (VM/container) to confirm behavior. Inspect generated URLs and verify that public-tunnel steps are manual and require your explicit tokens/configuration before you go public. - Review edge-tts & third-party binaries: edge-tts and 'hear' are third-party programs; verify their source, CLI behavior (whether they send audio/text to external servers), and install them intentionally. The SKILL does recommend fetching hear from GitHub releases — confirm checksums/limits before placing binaries into ~/.local/bin. If you want, I can enumerate the specific missing script names found in the SKILL.md and produce a minimal checklist of commands to safely test the local-only mode (server bound to localhost, no tunnels) in a sandbox.

Review Dimensions

Purpose & Capability: okName/description, included scripts (transcribe, generate_voice, voice_server), and declared tools (ffmpeg, edge-tts, optional cloudflared/ngrok) are consistent with a bidirectional voice chat bridge that converts speech→text and text→speech and can serve files over HTTP.
Instruction Scope: concernSKILL.md refers to many runtime scripts and features (hotkey_recorder.py, voice_chat_loop.py, chat.py, chat-related behavior, habits.json updates, .voice_trigger file) that are not present in the package. It instructs users to open public tunnels (ngrok/cloudflared) and to serve voice files with a HTTP server that intentionally suppresses access logs — this combination raises privacy/exposure concerns because generated voice files could become publicly accessible without obvious logging. The instructions also instruct adding AGENTS.md behaviors (writing to habits.json and emotion updates) that are not implemented here.
Install Mechanism: noteNo formal install spec (instruction-only with shipped scripts). The instructions recommend installing third-party binaries (ffmpeg, cloudflared, ngrok, hear) via brew/npm and downloading hear from a GitHub release — these are common but still involve executing fetched binaries. No archive downloads from obscure servers are present in the provided files.
Credentials: noteThe skill requests no environment variables or credentials in metadata, which matches the included code. However, optional deployment modes (ngrok/cloudflared) require external tokens/credentials that are not listed or discussed in the skill metadata; daily_monitor mentions collecting 'installation data' but only writes local reports (no remote exfiltration in code).
Persistence & Privilege: noteThe skill does not request always:true and does not modify other skills. It creates local state under ~/.openclaw/workspace and ~/.openclaw/workspace/memory. The HTTP server suppresses logging (QuietHTTPRequestHandler), which reduces visibility into external access when used with public tunnels — a design choice with privacy implications but not an explicit elevated privilege.