ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Voice Agent

v1.1.0

Local Voice Input/Output for Agents using the AI Voice Agent API.

0· 3.5k·26 current·27 all-time
byRicardo Trevisan@ricardotrevisan
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The name/description (local voice I/O) matches the included client.py and SKILL.md: the skill is a file-based client that calls a local backend for Whisper STT and AWS Polly TTS. It does claim use of 'local Whisper' and 'AWS Polly' but those services are invoked by the backend at localhost:8000, not by the client — this is reasonable and proportionate for a client-only skill.
Instruction Scope
SKILL.md clearly limits runtime behavior to running the provided client script (transcribe, synthesize, health) against the local backend and explicitly forbids service management. The client uploads user-selected audio files to http://localhost:8000 and writes synthesized audio to a user-specified output path. It does not read other system files or access environment variables beyond standard Python operation.
Install Mechanism
There is no install spec (instruction-only) and included code is zero-dependency Python using the stdlib urllib — nothing is downloaded or installed automatically. This is low-risk from an install perspective.
Credentials
The skill declares no required env vars or credentials, which is consistent because the client talks to a local backend. However, SKILL.md mentions AWS Polly and local Whisper; those will require credentials/configuration in the backend (not in this package). Users should be aware the backend — not this client — will hold any cloud credentials.
Persistence & Privilege
The skill is not marked always:true, does not persist or modify other skills, and does not request elevated privileges. It is user-invocable and uses the agent only when invoked.
Assessment
This client-only skill is coherent, but before installing/using it: 1) ensure you actually run and trust the backend that must be reachable at http://localhost:8000 (the backend will handle Whisper and AWS Polly and will hold any cloud credentials); review the backend source or run it locally in an isolated environment. 2) Be aware the client uploads the audio file you specify to localhost and writes synthesized audio to the output path you provide — avoid pointing it at sensitive files or to paths where overwriting is a risk. 3) The client reads entire files into memory for upload, so very large files may cause memory pressure. 4) If you rely on production AWS credentials, ensure the backend stores and uses them securely (not this client). If you want extra assurance, inspect and run the backend code locally before connecting the skill to non-test data.

Like a lobster shell, security has layers — review code before you run it.

latestvk97dfxt8dcppeckhfp0xcp8rx1810bdr

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments