Open Utter (Meeting Bot)
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: openutter Version: 1.0.1 The skill bundle is classified as suspicious due to a shell injection vulnerability in `scripts/utter-join.ts`. The `execSync` call, which sends messages via `openclaw message send`, directly interpolates the `opts.channel` parameter without proper sanitization or JSON stringification. This allows for arbitrary command injection if a malicious actor can control the `--channel` argument (e.g., via prompt injection against the OpenClaw agent). While the skill's core functionality (Google Meet bot, caption capture, local storage of auth) aligns with its stated purpose, this vulnerability poses a significant risk for remote code execution.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If a channel, target, or related value can be manipulated to include shell metacharacters, the bot could run unintended local commands under the user's account when sending chat updates.
`execSync` invokes a shell, and `channel`, `target`, `message`, and `mediaPath` are inserted into the command string rather than passed as safe argv values. `JSON.stringify` is not shell escaping.
execSync(`openclaw message send --channel ${opts.channel} --target ${JSON.stringify(opts.target)} --message ${JSON.stringify(opts.message)} --media ${JSON.stringify(opts.mediaPath)}`, ...)Replace shell-string `execSync` with `execFileSync`/`spawn` using an argument array or a direct OpenClaw API, and strictly validate channel and target values.
Signing in can leave a reusable Google session on disk; any process or future agent run with access to that file may be able to act as the signed-in account for Google web sessions.
Authenticated mode relies on a persistent Google browser session rather than a narrow scoped credential. The registry metadata declares no primary credential, so this broad session authority is under-declared.
`--auth` — join using saved Google account (~/.openutter/auth.json) ... `~/.openutter/auth.json` — saved Google session (cookies + localStorage, from utter-auth.ts)
Prefer guest mode or a dedicated low-privilege Google account, document this as a credential requirement, store the file with restrictive permissions, and provide clear logout/cleanup instructions for `~/.openutter/auth.json` and the browser profile.
Private meeting content can remain on disk and be reintroduced into later agent context; meeting participants' words should be treated as untrusted data, not instructions.
The skill intentionally persists meeting speech as local transcript files that the agent later reads and summarizes.
Captions are ... flushed to a transcript file every 5 seconds. **Transcript location:** `~/.openclaw/workspace/openutter/transcripts/<meeting-id>-<YYYY-MM-DD>.txt`
Use the bot only where recording/transcription is appropriate, keep the workspace private, delete transcripts when no longer needed, and instruct the agent to summarize transcripts without following any instructions contained in them.
If not given a duration or stopped, the bot may keep running until the meeting ends or the process is terminated.
The background behavior is disclosed and purpose-aligned, but it means the bot can continue attending and capturing captions after launch.
**IMPORTANT: Always run these commands with `background:true`** — the bot is a long-running process that stays in the meeting.
Use `--duration` when possible, confirm the bot leaves when expected, and provide or use a clear stop/cleanup workflow.
Runtime setup may resolve tooling or browser binaries from the local environment or network, which can vary between systems.
The documented workflow depends on `npx` tooling and a browser install step without a pinned package manifest or install spec in the supplied artifacts.
`npx tsx skills/openutter/scripts/utter-join.ts ...` and `npx playwright-core install chromium`
Pin Node dependencies and browser versions in an install spec or lockfile, and install them from trusted sources before running the skill.