ClawHub

Maylo Voice Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a real local voice assistant, but its network web UI can accept or trigger audio processing without authentication, so it needs careful review before use.

Install only if you are comfortable running a local voice assistant that listens through the Mac microphone, saves audio/log artifacts, and exposes a web UI on your network. Prefer binding the UI to localhost or a trusted interface, add authentication before using 0.0.0.0, disable MAYLO_WEB_WAKE unless you explicitly want web-started wake listening, and review the OpenClaw agent’s permissions because spoken or streamed audio becomes local agent input.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill instructs the user to run local shell scripts, copy application files, create a virtual environment, and start services, which clearly implies shell, file read/write, and environment access despite not declaring permissions. Undeclared capabilities undermine the platform’s trust and review model because operators may authorize or execute the skill without understanding that it can modify files and launch processes on the host.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The web server starts an always-on wake-word listener automatically at application startup, which expands the component from a UI service into a background audio-capture service without an explicit opt-in. In this context, that creates privacy and operational risk because merely launching the web UI can enable continuous microphone monitoring on the host Mac mini.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The /ws/audio endpoint accepts arbitrary audio streamed over WebSocket and processes it immediately, but there is no authentication, origin restriction, consent flow, or user-warning mechanism visible in this file. In a voice-assistant context this increases privacy risk and can allow any reachable client to submit microphone-derived audio for transcription/agent processing.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The legacy push-to-talk path can trigger server-side microphone processing via assistant.run_once_ptt(), and startup also enables background wake-word listening by default. That means remote interaction with the web UI can cause audio capture on the server host itself, which is more sensitive than ordinary client-side recording because it activates the machine's microphone.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal