ClawHub
Back to skill
v0.1.1

Discord Local STT/TTS Installer (macOS)

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:53 AM.

Analysis

The skill behaves like a disclosed macOS installer, but it fetches and may build the latest upstream plugin code, so users should trust the GitHub project before running it.

GuidanceThis appears to be a coherent installer, not a deceptive skill. Before running it, make sure you trust the vilmire/discord-local-stt-tts GitHub project and are comfortable installing the latest release into your OpenClaw plugins directory and optionally running pnpm dependency/build scripts.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Agentic Supply Chain Vulnerabilities
SeverityMediumConfidenceHighStatusNote
bin/install.sh
REPO="vilmire/discord-local-stt-tts" ... curl -fsSL "https://api.github.com/repos/$REPO/releases/latest" ... curl -fL "$ZIP_URL" -o "$ZIP_PATH"

The installer dynamically downloads the latest GitHub release source zipball from a fixed upstream repo rather than a pinned version or checksum.

User impactYou install whatever code is the latest upstream release at the time you run the script.
RecommendationRun this only if you trust the GitHub repository and current release; consider reviewing the release or pinning a known version before installation.
Unexpected Code Execution
SeverityMediumConfidenceHighStatusNote
bin/install.sh
if command -v pnpm >/dev/null 2>&1; then ... (cd "$INSTALL_DIR" && pnpm i && pnpm -s build) || true

If pnpm is installed, the script runs dependency installation and build commands inside the downloaded plugin directory, which can execute package/build scripts from that project.

User impactThe installer may execute local build or package-manager code from the downloaded plugin and its dependencies.
RecommendationReview the upstream package files and build scripts if you want stronger assurance, or run the build steps manually in a controlled way.
Agentic Supply Chain Vulnerabilities
SeverityInfoConfidenceHighStatusNote
metadata
Source: unknown; Homepage: none; OS restriction: none; Required binaries ... none

Registry metadata does not declare the source/homepage, macOS restriction, or required tools even though SKILL.md and the installer disclose them.

User impactRegistry-level checks may not show all setup requirements before a user reads the skill instructions.
RecommendationRead SKILL.md before running the installer and verify that you are on macOS with the required tools available.