ClawHub
Back to skill
v1.0.0

whatsappVoiceOpenSkill

ReviewClawScan verdict for this skill. Analyzed May 1, 2026, 4:57 AM.

Analysis

The skill mostly matches its WhatsApp voice-processing purpose, but it uses an unsafe shell command around audio file paths and includes an optional background listener, so it should be reviewed before use.

GuidanceBefore installing, patch or avoid the execSync path-based transcription helper, run the daemon only intentionally, keep WhatsApp sender restrictions in place, add confirmations for any custom handler that changes devices or accounts, and pin/verify the Python dependencies.

Findings (4)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Unexpected Code Execution
SeverityMediumConfidenceHighStatusConcern
scripts/voice-processor.js
async function transcribeVoiceNote(audioFilePath) { ... execSync(`python "${transcribeScript}" "${audioFilePath}"`, ...)

The public transcription helper accepts an audioFilePath value and interpolates it into a shell command instead of passing arguments safely.

User impactIf an integration passes an untrusted or specially crafted path into this helper, it could cause unintended local command execution.
RecommendationReplace execSync string execution with execFileSync or spawn using an argument array, and validate that audio paths are inside an expected directory.
Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
scripts/voice-processor.js
const parsed = parseCommand(transcript); ... const result = await executeCommand(parsed, language); ... return await handler(language);

Transcribed WhatsApp speech automatically selects and runs a matching handler. The built-in handlers are low-impact, but the pattern is intended for custom command handlers.

User impactVoice messages can trigger handler logic; if users add handlers for devices, accounts, or business actions, those actions could run from spoken commands.
RecommendationKeep sender allowlists enabled, add explicit confirmation for any mutating or high-impact custom handler, and limit what handlers can do by default.
Rogue Agents
SeverityLowConfidenceHighStatusNote
scripts/voice-listener-daemon.js
inboundDir: path.join(process.env.APPDATA || process.env.HOME, '.clawdbot', 'media', 'inbound'), ... checkInterval: 5000 ... setInterval(checkForNewVoices, CONFIG.checkInterval)

The listener is a disclosed, user-started daemon that continuously polls a WhatsApp media directory for new voice files.

User impactOnce started, it keeps processing new inbound voice files until stopped, which may be surprising if left running.
RecommendationRun the daemon only when needed, monitor its logs, and stop it when automatic processing is not desired.
Agentic Supply Chain Vulnerabilities
SeverityLowConfidenceHighStatusNote
requirements.txt
openai-whisper>=20231117
soundfile>=0.12.1
numpy>=1.21.0

The Python dependencies are specified with lower-bound ranges, so future package versions may be installed unless the user pins or locks them.

User impactDependency behavior can change over time, and first-run Whisper model downloads should come from trusted sources.
RecommendationPin dependency versions in a lockfile or controlled environment and verify package/model provenance before production use.