ClawHub

LiveVideoStore

Security checks across malware telemetry and agentic risk

Overview

This voice client mostly matches its stated purpose, but it needs review because it can transmit microphone audio and device identifiers to remote services with weak disclosure and imperfect user control.

Review before installing. Only run this if you trust the Tenclass/Xiaozhi service endpoints and are comfortable with remote voice processing. Assume microphone audio may be transmitted after a voice session starts, and avoid copying an unverified DLL into C:\Windows\System32; prefer a verified, pinned, app-local dependency.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends extensive device and network metadata to a remote server, including local IP, Wi‑Fi SSID, RSSI, board details, MAC-related identifiers, and firmware attributes, without meaningful user disclosure or consent. This creates a privacy and tracking risk and unnecessarily expands the amount of sensitive telemetry exposed to the service operator or any party with access to that backend.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code captures live microphone input and streams it to a remote server over the network, but the user-facing prompts do not clearly warn that speech leaves the local machine. Because microphone data can contain highly sensitive personal or environmental information, silent remote transmission materially increases privacy risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly states the application will automatically connect, but it does not warn users that network activity and possible audio/session data transmission will begin without an explicit informed consent prompt. In a voice client context, this increases privacy and transparency risk because users may unknowingly expose metadata or content to a remote service as soon as the app starts.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal