Earnings Call Processor
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: earnings-call-processor Version: 3.0.0 The skill is classified as suspicious due to a shell injection vulnerability in the suggested usage instructions within SKILL.md. The documentation instructs the AI agent to pass the contents of a generated file—which includes untrusted transcription data from an external audio source—directly into a shell command using the `$(cat ...)` subshell pattern. This creates a high-risk path for Remote Code Execution (RCE) if the audio transcript contains malicious shell metacharacters. While the Python logic in src/process_earnings_call.py appears benign and aligned with its stated financial analysis purpose, the insecure integration pattern in the instructions poses a significant security risk.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill executes the installed Whisper command and processes the selected audio file on the local machine.
The script runs an external local CLI on a user-provided audio path. It uses an argument list rather than shell=True and is central to the transcription workflow, so this is expected but still noteworthy local command execution.
cmd = ["whisper", str(audio_path), "--model", model, "--output_format", "txt", ...]; result = subprocess.run(cmd, capture_output=True, text=True)
Install Whisper from a trusted source, run the command only on files you intend to process, and avoid using broad or shared output directories.
Security depends partly on the Whisper and pandas installations present in the user environment.
The skill relies on external runtime dependencies, but the supplied artifacts do not include a pinned install spec or lockfile. This is common for instruction-oriented skills but leaves dependency provenance to the user.
"requires": { "bins": ["whisper"], "python": [">=3.10"], "packages": ["pandas"] }Use trusted package sources and known-good versions for Whisper and pandas before running the script.
If the Feishu publishing step is used, generated call transcripts and financial summaries may be stored in a Feishu workspace under the user's account.
The generated report is intended to be handed to another skill/provider for Feishu document creation. This is disclosed and user-directed, but it can share transcript and financial content outside the local environment.
use the feishu-doc skill to publish: python3 /path/to/feishu-doc/scripts/doc_ctl.py create "AAPL Earnings Call Summary" --content "$(cat /tmp/earnings_output/feishu_content.md)"
Inspect the generated markdown and Feishu draft, confirm the target workspace and sharing settings, and avoid publishing confidential call content unintentionally.