ClawHub

Audio Announcement

Security checks across malware telemetry and agentic risk

Overview

This is a real audio-announcement skill, but it asks for always-on agent voice behavior and startup persistence while sending spoken text through external TTS and including unsafe command-execution helpers.

Install only if you are comfortable with automatic spoken status updates. Do not announce secrets, prompts, filenames, or private task details unless you understand that online TTS may transmit text externally. Avoid adding the startup profile hooks unless you explicitly want persistence, and do not use the eval-based workflow helper with untrusted input.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The README explicitly states that every interaction must be announced by voice, and examples/configuration strongly bias toward Chinese output without requiring explicit user opt-in or honoring user privacy/context. Mandatory audible disclosure can leak sensitive task details, prompts, filenames, or operational status to nearby people, and forcing a language choice can further reduce user control and informed consent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends message text to edge_tts, which typically relies on a remote service, without clearly warning users that announcement content may leave the local system. If the messages contain sensitive task names, errors, or other private data, this can cause unintended data disclosure to an external provider.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The function announce_with_progress uses eval on each step string, which causes shell metacharacters, substitutions, and injected fragments to be interpreted as code. If any step command is built from untrusted input or passed through another layer unsafely, this can lead to arbitrary command execution in the current user's shell context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation instructs users to place commands in shell startup/profile files so a Python script runs automatically on every new session. Even though the referenced script appears to be a self-check, persistence through shell initialization increases the attack surface: any later modification of that script or its path would execute automatically, and the doc does not clearly warn users about the persistence or require consented review of the script contents.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal