Back to skill

Security audit

Voice Memo Sync

Security checks across malware telemetry and agentic risk

Overview

The skill is a real voice-memo transcription tool, but it needs review because it can broadly collect private media and persist enriched transcripts into Apple Notes, Reminders, and local memory.

Install only if you intentionally want OpenClaw to process private recordings and create local records plus Apple Notes and possibly Reminders. Before using it, review the iCloud scan paths, especially the Downloads scan; keep heartbeat auto-sync disabled unless you want recurring processing; and avoid personalized analysis if you do not want USER.md, SOUL.md, or MEMORY.md content mixed into saved notes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly instructs file reads, shell execution, and system automation, but it does not declare corresponding permissions. This creates a transparency and consent gap: users and the platform may underestimate what the skill can access or modify, especially because it reads local files, runs scripts, and invokes AppleScript/CLI tooling.

Tp4

High
Category
MCP Tool Poisoning
Confidence
83% confidence
Finding
The documented behavior goes beyond simple media sync/transcription and includes persistent local state, Apple Notes/Reminders automation, and likely scheduled/background behavior. When a skill's actual behavior exceeds its declared purpose, users cannot give informed consent and may not expect broad filesystem scanning, note creation, or task scheduling.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
Reading USER.md, SOUL.md, and MEMORY.md to generate personalized analysis expands the skill from transcription into user profiling. That broader data access is not necessary for basic voice memo processing and increases the chance that sensitive personal context is unnecessarily ingested and reused.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The instruction to read USER.md, SOUL.md, and MEMORY.md is not clearly justified by the core task of syncing or transcribing media. Unnecessary access to broad personal context creates data-minimization violations and can expose sensitive information in downstream summaries, notes, or reminders.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The installer can append a recurring auto-sync task to a shared HEARTBEAT.md file, creating persistent scheduled behavior not clearly disclosed in the skill description. Even though it is gated by a flag or prompt, persistence mechanisms increase risk because they can cause ongoing access to user audio, transcripts, and connected services after installation.

Description-Behavior Mismatch

Low
Confidence
87% confidence
Finding
The script persistently stores transcripts and source metadata under a workspace directory, which can retain sensitive file paths, URLs, and transcribed private content without explicit consent or retention controls. In a voice-memo skill, this is materially risky because inputs are likely to contain personal or confidential recordings.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script fetches a model from Hugging Face at runtime without prior notice, pinning, or integrity verification. This introduces undisclosed network egress and supply-chain risk, and may violate user expectations in environments handling sensitive media.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script scans `${DEFAULT_ICLOUD_BASE}/Downloads`, which is a broad catch-all folder likely to contain many unrelated personal or sensitive files beyond voice memos. In the context of a voice memo sync skill, this expands collection scope without clear necessity, creating unnecessary privacy exposure and increasing the chance that unrelated media files are copied into the workspace.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The README suggests very broad natural-language activation phrases such as 'Sync my voice memos' and 'Transcribe and summarize this audio' without any confirmation gate, scope restriction, or explicit invocation boundary. In a voice/memo-processing skill that can sync data and create downstream notes/reminders, ambiguous triggering raises the risk of unintended execution on user content or accidental modification of synced apps.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises that recordings are processed automatically and outputs sync back to Apple Notes and Reminders, but it does not clearly warn users that the skill modifies persistent personal data stores. This can lead to users unknowingly authorizing writes to Notes/Reminders, causing privacy issues, unwanted data propagation across devices, and accidental task creation.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The example trigger phrases are broad natural-language commands such as '同步语音备忘录' and '转录并总结这段音频', which can plausibly appear in normal conversation or unrelated contexts. In a skill that can access local files, sync iCloud recordings, download remote media, and create Notes/Reminders entries, accidental invocation could cause unintended processing of private content or external network activity.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to access personal context files for analysis without a clear user-facing consent prompt. Users may submit a voice memo expecting transcription only, while the skill silently pulls in unrelated personal memory/profile data and blends it into outputs.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The processing guide operationalizes hidden context access by telling the agent to read USER.md and MEMORY.md during routine processing. Without a prominent warning and opt-in, this creates a covert expansion of scope from media processing to personal-context mining.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The architecture explicitly states that the LLM will analyze transcripts using personal context from USER.md and MEMORY.md, but the document does not describe any user-facing consent, notice, minimization, or boundary controls for that contextual data. In a skill that processes potentially sensitive voice memos, silently enriching analysis with personal memory/profile files increases privacy risk and could expose intimate or unrelated data in generated notes, summaries, or downstream integrations.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The architecture includes URL/video ingestion via download and transcription, but provides no warning or control description around external retrieval of remote content. This can lead users to submit links without understanding that the system may contact third-party hosts, download potentially sensitive media, and process data that may have legal, privacy, or security implications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The installer creates directories, symlinks, config files, an index file, may modify Apple Notes, and may add a recurring heartbeat task, but it does not provide a consolidated upfront warning describing all filesystem and application-state changes. Silent or poorly disclosed install-time modifications reduce informed consent and can surprise users with persistence and external app integration.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes source metadata files containing the original input and timestamps, and elsewhere stores transcripts, without any meaningful user warning or consent flow. Because inputs may be private voice memos, document paths, or URLs, this creates a privacy and data-retention risk beyond transient processing.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script performs external network activity to download models and, in other branches, remote media, but only emits generic progress logs. Users may unknowingly send requests to third-party services, which is especially concerning for a tool processing sensitive recordings or private URLs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script copies discovered files into a workspace memory directory and records metadata in a processing log, but provides only operational console messages rather than meaningful consent, warning, or review. Because these are voice recordings and media files, the behavior can silently duplicate sensitive personal content into another application-controlled location, increasing retention and access risk.

Ssd 3

Medium
Confidence
88% confidence
Finding
The documented output format includes storing the full original transcript and the README also describes local retention in memory directories. Retaining and reproducing complete transcripts increases exposure of sensitive spoken content, including secrets, personal data, or third-party information, and expands the blast radius if local storage or synced notes are accessed by other apps/devices/users.

Ssd 3

Medium
Confidence
97% confidence
Finding
Combining transcript content with USER.md, SOUL.md, and MEMORY.md in generated notes can leak unrelated sensitive information into Apple Notes, reminders, or saved markdown files. Because these outputs are persisted and synced across devices, any accidental disclosure may spread beyond the original processing context.

Ssd 3

Medium
Confidence
97% confidence
Finding
The deep-processing workflow explicitly instructs the agent to combine stored personal context with transcript content, which increases the risk of sensitive data propagation into durable artifacts. This is especially dangerous here because the skill then saves results locally and pushes them into Apple Notes and possibly Reminders, creating multiple disclosure surfaces.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.