macOS Local Voice
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: macos-local-voice Version: 1.0.0 The skill is classified as suspicious due to a potential arbitrary file write vulnerability in `scripts/tts.mjs`. The `output_path` argument, if provided by the user or agent, is used directly to construct the output file path. This could allow an attacker to specify a path traversal sequence (e.g., `../../../malicious.aiff`), leading to the creation of audio files in unintended file system locations. While the default output path is safe and there is no evidence of intentional malicious behavior, this represents a significant vulnerability.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
When used, the skill will run local audio-related binaries on the Mac.
The skill runs native macOS command-line tools to synthesize audio. This is local code execution from PATH, but it is clearly part of the advertised TTS behavior and uses argument arrays rather than a shell command string.
execFileSync("say", sayArgs, { stdio: ["pipe", "pipe", "pipe"] });Install and keep only trusted versions of the required binaries in PATH, and review any user-specified output path before generating audio.
If an external dependency is compromised or unexpected, the skill could execute untrusted local code when transcribing or converting audio.
The skill depends on external Homebrew packages that are not version-pinned in the artifacts. These dependencies are expected for the STT/TTS purpose, but their provenance affects the safety of the local commands the skill runs.
brew install finnvoor/tools/yap # STT brew install ffmpeg # audio format conversion (optional but recommended)
Verify the Homebrew tap and ffmpeg source before installing, and prefer trusted or pinned package versions where possible.
Generated audio may be sent through the messaging environment if this step is used.
The skill documents using the message tool to send the generated audio file as a voice note. This is disclosed and relevant to the use case, but it is an outbound action beyond purely local audio generation.
message action=send media=<path_from_tts.sh> asVoice=true
Use the message-send step only when the user explicitly wants to send a voice note, and review the generated file and destination first.