ClawHub

qwenspeak

Security checks across malware telemetry and agentic risk

Overview

The skill’s TTS purpose is coherent, but its setup uses an unpinned root installer and persistent SSH access, so it needs review before installation.

Before installing, do not pipe the installer directly into sudo. Download and inspect a pinned version, verify checksums if available, and understand the files and SSH access it creates. Use a dedicated SSH key, confirm QWENSPEAK_HOST and QWENSPEAK_PORT point to your own trusted service, and only use voice samples you are authorized to clone.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly enables voice cloning from uploaded reference audio and transcripts but provides no safeguards, consent requirements, privacy guidance, or abuse limitations. In this context, that omission materially increases the risk of impersonation, non-consensual cloning, and mishandling of biometric voice data, especially because the feature is presented as a normal workflow.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill exposes remote file-management operations including delete, move, copy, and directory removal over SSH, but the documentation does not warn that these actions are destructive or affect remote state. While traversal is noted as blocked, users or downstream agents could still unintentionally delete or overwrite files in the remote work directory, causing data loss or operational disruption.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup documentation instructs users to execute a remote script directly from GitHub and pipe it into sudo bash, granting the fetched content full root privileges without inspection or integrity verification. If the repository, branch, network path, or referenced script is compromised, the host can be fully taken over; the TTS/SSH context increases risk because the installer explicitly modifies local command paths and SSH-related files.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The instructions tell users to append an SSH public key into ~/.qwenspeak/authorized_keys without explaining that this grants login capability to the service over SSH and may widen access if the key is shared, weakly protected, or added incorrectly. In a skill designed to expose TTS over SSH, this is contextually expected, but omitting access-control guidance can still lead to unintended remote access exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal