ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Elderly Voice Assistant

v1.0.0

银发族语音助手——老年人对着手机说话就能发消息、查天气、设闹钟、听戏曲,无需学任何操作。

0· 163·0 current·0 all-time
by@scikkk
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description (elderly voice assistant) align with requiring python3, requests, and a SENSEAUDIO_API_KEY for ASR/TTS. Those requirements are expected for the stated purpose. However, the skill also claims functions (send messages to family, notify relatives when idle, invoke system alarm APIs, access contact mappings) that would normally require additional permissions or credentials which are not declared.
!
Instruction Scope
SKILL.md contains concrete runtime instructions and a full Python implementation that uploads user audio to https://api.senseaudio.cn (ASR/TTS) and plays audio locally. It also describes sending messages, accessing contact mappings, and notifying family/setting alarms, but gives no implementation details, no endpoints, and no required environment variables or config paths for those actions. The prompt/code will cause user audio to be transmitted off-device (privacy concern) and instructs subprocess execution to play audio. The instructions do not request unrelated env vars, but they do leave broad discretion and unspecified external interactions (message delivery, notifications) that are out-of-band of the declared API key.
Install Mechanism
Install spec lists a single dependency (requests). This is proportionate for the included Python code which uses the requests library. No arbitrary downloads or extract-from-URL steps are present.
!
Credentials
Only SENSEAUDIO_API_KEY is required and is appropriate for ASR/TTS. But capabilities described (sending messages, notifying relatives, accessing contacts, interacting with system alarms) would typically require additional credentials or platform permissions (SMS/messaging API keys, contact access tokens, mobile OS alarm APIs). Those are not declared, creating a gap between claimed features and declared environment access.
Persistence & Privilege
The skill does not request always:true and defaults to normal agent invocation. There is no install action that modifies other skills or system-wide configs. Playing audio and calling subprocesses are local actions but do not imply elevated or persistent privileges.
What to consider before installing
This skill mostly does what it says: it sends recorded audio to senseaudio.cn for ASR and TTS using a single API key. Before installing, confirm the following with the publisher: (1) Where and how does "send_message" deliver messages? What messaging API or permissions does it use and what credentials will be required? (2) How are contacts and "notify family" implemented and stored? Does the skill access the device contact list or require tokens for a messaging service? (3) Does the SenseAudio API store or retain uploaded audio? Check privacy, retention, and consent policies at the provided docs. (4) Verify the required local players (afplay/play/mpg123) and the subprocess usage — test in an isolated environment if possible. (5) Limit the SENSEAUDIO_API_KEY scope if supported and ensure you can revoke it. If the publisher cannot clearly explain how messages/notifications/alarms are implemented (and what extra permissions are needed), treat the missing details as a red flag and avoid granting broad access or production use.

Like a lobster shell, security has layers — review code before you run it.

latestvk97d3ca246crfx295e0csess2982y9qw

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

👴 Clawdis
Binspython3
EnvSENSEAUDIO_API_KEY
Primary envSENSEAUDIO_API_KEY

Install

uvuv tool install requests

Comments