Browser Voice Gateway
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This appears to be a real browser voice/chat gateway, but it gives trusted browsers broad OpenClaw tool access and has conversation-scoping issues that should be reviewed before use.
Install only if you need remote browser voice/chat for OpenClaw and are comfortable giving trusted browsers tool access. Before exposing it on your network, set a strong access code, shorten session lifetime, restrict network binding, review npm dependencies, and add or verify browser-specific tool and conversation access controls.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal engine telemetry is currently stale for this artifact.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A trusted browser session could trigger any non-denied OpenClaw tool, which may include tools that read, write, or change local or account data depending on the user's OpenClaw setup.
After a browser is trusted, this endpoint accepts a tool name and arbitrary arguments from the browser and invokes OpenClaw tools, with the shown check only denying tools in a deny list.
const tool = params.validateBodyString(body.tool, 120); ... const args = ... body.args ...; ... const result = await params.invokeOpenClawTool({ api: params.api, sessionKey: conversation.sessionKey, tool, args });Use a strict browser-specific allowlist and per-action confirmation for sensitive tools, and do not expose this service beyond a network and devices you trust.
Any trusted browser may be able to search or see conversation records that belong to other trusted browsers or sessions.
The search route authenticates a browser but does not pass the browser ID or call `browserCanAccessConversation` before searching and serializing conversation records.
params.ensureTrustedBrowser(req, params.config); ... const store = params.loadConversationStore(); params.sendJson(res, 200, { results: params.searchConversations(store, query).map(params.serializeConversation) });Filter search results through `browserCanAccessConversation` or search only a browser-scoped conversation list before returning results.
If a conversation ID is known or exposed, a trusted browser could alter another conversation's history and trigger downstream summaries.
In the shown session-end handler, a trusted browser can select a conversation ID and cause transcript mutation and summary generation without an evident ownership/access check before the write.
const conversation = store.conversations[conversationId]; ... appendMessageToSessionTranscriptLocal({ sessionKey: conversation.sessionKey, role: "assistant", text: note ... }); ... summarizeConversationForHistory({ api: params.api, conversation: refreshedConversation })Check `browserCanAccessConversation` before every conversation mutation, not only before reads.
Voice and chat contents may be retained in OpenClaw history and used for summaries.
The plugin intentionally stores full transcripts and generates summaries, which is purpose-aligned but sensitive.
- conversation history - full transcript storage - device-aware continuity - history browsing - conversation summarization for voice sessions - on voice session end
Avoid discussing secrets unless you are comfortable with transcript retention, and review any available retention or cleanup settings.
Using the plugin can incur provider API usage and gives the plugin access to the configured OpenAI and Google provider authority.
The plugin uses OpenClaw-held OpenAI and Google credentials to create short-lived provider credentials for browser voice sessions.
Required providers: - `openai` - `google` The real keys are resolved server-side from OpenClaw runtime auth/key-store support.
Install only if you intend this plugin to use those provider keys, and monitor provider usage/costs.
A trusted phone or browser can remain authorized for about 30 days, and the service may be reachable from the local network.
The documented example creates long-lived trusted browser sessions and binds the service to all network interfaces.
"browserSessionTtlHours": 720, ... "bind": "0.0.0.0", ... "autoSelfSigned": true
Use a strong access code, shorten the session TTL if possible, log out unused browsers, and bind to a narrower interface or trusted network.
Installing npm dependencies runs the normal package installation process for this plugin.
Manual npm dependency installation is expected for this plugin, but it is still a supply-chain step users should review.
Run: ```bash npm install ``` This installs the packages this plugin needs for Gemini support.
Review package.json/package-lock.json and install from a trusted source before running the plugin.