Back to skill

Security audit

Wyoming Clawdbot

Security checks across malware telemetry and agentic risk

Overview

The skill appears to do what it claims, but it exposes voice prompts and a local Clawdbot profile through an unauthenticated network service, so it should be reviewed before use.

Install only on a trusted, firewalled host. Restrict the listener so only Home Assistant can reach it, prefer binding to localhost or a specific interface, use a dedicated low-privilege Clawdbot profile, make the .clawdbot mount read-only if feasible, reduce or disable transcript logging, and understand that spoken requests may be sent to Clawdbot and retained in logs or conversation context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The server binds to 0.0.0.0 by default and accepts arbitrary incoming Wyoming connections without any authentication or peer restriction. In this skill's context, any host that can reach the port can submit transcripts that are forwarded to the Clawdbot backend, potentially causing unauthorized use, prompt injection attempts against the downstream agent, privacy exposure, and resource consumption.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Each received transcript triggers execution of an external CLI process, giving remote clients an indirect capability to drive a local program repeatedly. Although `create_subprocess_exec` avoids shell injection, the design still expands the attack surface by enabling unauthenticated network input to invoke a local agent process, which can be abused for denial of service, unintended backend actions, or cost/resource amplification depending on what `clawdbot agent` can do.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly states that spoken user text is sent from Home Assistant through this bridge to Clawdbot, but it does not warn users about privacy, retention, third-party processing, or sensitive data exposure. In a voice-assistant and home-automation context, transcripts may contain private household information, credentials, addresses, or commands, so omitting disclosure increases the risk of unsafe deployment and uninformed consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly forwards Home Assistant voice commands to Clawdbot, which may include sensitive personal, household, or account-related speech content. Without a clear user-facing warning, users may unknowingly transmit private audio-derived text to another service, creating privacy and data-handling risk that is elevated in a home assistant context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code logs full user transcripts at INFO level, which can capture sensitive voice content such as personal data, credentials, home activity, or private commands. In a voice-assistant bridge, transcript content is especially privacy-sensitive, and logs are often retained, shipped, or accessible to operators beyond the user who spoke the request.

Unpinned Dependencies

Low
Category
Supply Chain
Content
wyoming>=1.5.0
Confidence
93% confidence
Finding
wyoming>=1.5.0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.