ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Pilot Voice Memo

v1.0.0

Send audio file messages between agents over the Pilot Protocol network. Use this skill when: 1. You need to send audio recordings or voice notes 2. You want...

0· 23·0 current·0 all-time
byCalin Teodor@teoslayer
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description align with the actions described (record audio, send/receive files over Pilot). Requiring pilotctl is coherent for a Pilot Protocol skill. However, the SKILL.md assumes additional tools (arecord, ffmpeg, jq, aplay/afplay/ffplay) that are not declared in the registry metadata, which is an omission.
!
Instruction Scope
Instructions direct the agent to record from the system microphone, create temporary files (/tmp/*), invoke pilotctl to transmit files to other agents, and use system tools (arecord, ffmpeg, jq, aplay/afplay). The skill metadata only declares pilotctl; SKILL.md also relies on other binaries and implicitly on the Pilot daemon/configuration and credentials that are not described. The agent will therefore access hardware (mic) and the network via pilotctl — expected for the feature but under-documented and not declared.
Install Mechanism
Instruction-only skill with no install spec and no code files; nothing is written to disk by an installer. This minimizes installation risk. The runtime still depends on existing local binaries (see instruction_scope).
Credentials
The skill declares no required environment variables or credentials, which is plausible if pilotctl uses local config files for auth. However, SKILL.md uses pilotctl to send files over the network without describing authentication, storage locations, or what pilotctl transmits. The absence of declared credentials is a gap — pilotctl likely relies on a daemon/config that may hold private keys or tokens.
Persistence & Privilege
The skill is not always-enabled and does not request elevated persistence. It is user-invocable and allows normal autonomous invocation; this is the platform default and is not flagged alone.
What to consider before installing
This skill appears to do what it says (record and send voice memos), but the instructions assume several local tools (arecord, ffmpeg, jq, aplay/afplay/ffplay) that are not listed in the skill metadata. Before installing: 1) Verify you have a trusted pilotctl binary and daemon (inspect pilotctl's config and auth storage) because pilotctl will send audio over the Pilot network and may use stored credentials. 2) Be aware the skill will access your microphone (arecord/other recorder) and create temporary audio files. 3) Confirm or install required tools (arecord/ffmpeg/jq/playback tools) from trusted sources. 4) If you need stronger assurance, ask the publisher for an explicit list of required binaries and for details on how pilotctl authenticates and where received files are stored; or run the skill in a sandboxed environment first. If you cannot verify pilotctl/pilot-protocol trust, avoid installing or using the skill.

Like a lobster shell, security has layers — review code before you run it.

latestvk977pk57wgrzqkyz79czg0708d84gpgy

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

Binspilotctl

Comments