ClawHub

vociemaster

Security checks across malware telemetry and agentic risk

Overview

VoiceMaster is a legitimate TTS skill, but it automatically saves detailed local debug logs containing user script text and API responses without clearly warning users.

Review before installing if your scripts may be confidential. Use it only with text you are comfortable sending to SenseAudio and having saved locally in debug JSON files; delete those sidecar logs after use or modify the helper so debug logging is opt-in and redacted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The debug log persists full text variants, request payloads, and response bodies to disk, which can expose sensitive script content, user metadata, API behavior, and potentially operational details to other local users or later processes. Because this logging happens automatically on failure and by default writes next to the output file, sensitive data may be stored without clear user awareness or minimization.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The helper sends user-provided text and optional metadata to a third-party API, which is an external data disclosure risk if users are not clearly informed that their content leaves the local environment. In a dubbing skill this transmission is functionally expected, but the risk remains significant for confidential scripts or metadata.

External Transmission

Medium
Category
Data Exfiltration
Content
voice_id: $voice_id
    }
  }' |
curl -sS "https://api.senseaudio.cn/v1/t2a_v2" \
  -H "Authorization: Bearer $SENSEAUDIO_API_KEY" \
  -H "Content-Type: application/json" \
  --data-binary @-
Confidence
90% confidence
Finding
curl -sS "https://api.senseaudio.cn/v1/t2a_v2" \ -H "Authorization: Bearer $SENSEAUDIO_API_KEY" \ -H "Content-Type: application/json" \ --data-binary

External Transmission

Medium
Category
Data Exfiltration
Content
voice_id: $voice_id
    }
  }' |
curl -sS "https://api.senseaudio.cn/v1/t2a_v2" \
  -H "Authorization: Bearer $SENSEAUDIO_API_KEY" \
  -H "Content-Type: application/json" \
  --data-binary @-
Confidence
90% confidence
Finding
https://api.senseaudio.cn/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal