openclaw-whisper-voice

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local Whisper transcription setup that installs user-local tools and processes audio files, with no evidence of hidden or destructive behavior.

Install only if you want local transcription on the Gateway host. Review the two shell scripts first, and consider running them in a virtual environment or otherwise pinning dependencies if your environment has strict supply-chain controls; expect user-local Python packages, ~/.local/bin launchers, and Whisper model downloads.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill instructs the agent/operator to run local shell scripts and configure a CLI transcription command, but it does not declare corresponding permissions. That creates a trust and review gap: consumers may treat the skill as low-risk while it actually enables command execution on the host, increasing the chance of unsafe deployment or unexpected host-side actions.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal