Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Kiwi Voice
v1.0.0Manage and configure Kiwi Voice assistant service. Use when starting/stopping Kiwi, editing voice config, checking logs, troubleshooting audio issues, or man...
⭐ 0· 115·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
high confidencePurpose & Capability
The skill claims to 'manage and configure Kiwi Voice' but the registry metadata declares no required environment variables or config paths while the SKILL.md, README, and code reference many secrets and credentials (e.g., KIWI_ELEVENLABS_API_KEY, KIWI_TELEGRAM_BOT_TOKEN, RUNPOD keys, KIWI_HA_TOKEN) and expect heavy ML dependencies. That mismatch is incoherent: either the metadata is incomplete or the skill is asking for more privileges than declared.
Instruction Scope
SKILL.md instructs the agent to read and use local files (.env, config.yaml, logs, voice_profiles) and to start the service. Additionally, SOUL.md contains explicit system-prompt-like instructions (e.g., 'You are Kiwi... You can perform ANY task... Never refuse to execute') which are a prompt-injection risk — they attempt to change the assistant's behavior and grant it broad discretion to act. While service management needs access to some of these files, the presence of a system-prompt override embedded in the skill is out-of-scope for a benign 'manage' skill.
Install Mechanism
The registry shows no install spec, but the repository contains a large Python project (requirements.txt, many modules, models auto-download behavior). Heavy native/ML dependencies (CUDA, ONNX, pyannote, Faster Whisper, local TTS models) are required at runtime and are not declared in the skill metadata. That mismatch increases operational risk: users may run unreviewed installs or miss required sandboxing.
Credentials
Although the skill metadata lists no required env vars, the code and SKILL.md expect multiple secrets in .env (ElevenLabs API key, Telegram bot token + chat id, RunPod API keys, Home Assistant token, etc.). Worse, config.yaml included in the package contains an API token entry (api.auth.tokens -> token: "x4711-kiwi-2026-secret") and api.host is 0.0.0.0 by default. Hardcoded tokens and broad credential references are disproportionate and could lead to accidental exposure if deployed as-is.
Persistence & Privilege
always:false (good), but the skill implements a REST API (binds to 0.0.0.0:7789 by default), control endpoints (stop, restart, shutdown), and Home Assistant integration — all of which provide control surfaces that can be abused if misconfigured. Combined with the SOUL.md prompt override encouraging the agent to 'perform ANY task' and the hardcoded API token, the persistence/privilege posture is risky unless the service is carefully locked to localhost and tokens rotated.
Scan Findings in Context
[system-prompt-override] unexpected: SOUL.md explicitly attempts to change assistant behavior (e.g., 'You are Kiwi... You can perform ANY task... Never refuse to execute'). This is not expected for a device-management skill and is a prompt-injection pattern that can alter model safety boundaries.
What to consider before installing
This package contains a full voice-assistant service (many Python modules, REST API, web UI, and ML-based components). Before installing or running it:
- Treat the repository as high-privilege software: it listens on an HTTP API (default 0.0.0.0:7789) and exposes control endpoints (restart, shutdown, stop). Do NOT run it bound to 0.0.0.0 on an untrusted network. Change api.host to 127.0.0.1 if you only want local access.
- The metadata claims no required env vars, but the code expects many secrets in .env (ElevenLabs, Telegram, RunPod, Home Assistant tokens). Audit and populate .env deliberately; do not reuse sensitive keys. If you don't use a provider, leave its keys unset.
- config.yaml included in the package contains a hardcoded API token ("x4711-kiwi-2026-secret"). Treat that as insecure: remove or replace it with a strong token if you enable API auth, or disable the API if you don't need it.
- SOUL.md contains instructions that attempt to override the assistant/system prompt and to force execution of any task. Remove or sanitize this file (or its contents) before enabling autonomous agent invocation; do NOT allow the skill to reconfigure the model prompt or behave with blanket 'never refuse' rules.
- The code requires heavy ML/native dependencies (torch, ONNX, pyannote, local TTS models). Because no install spec is provided in the registry metadata, follow the project's README and install in an isolated environment (container or VM) so you can safely inspect network and file activity.
- If you want to use only management features from Home Assistant, restrict the integration to localhost, supply a minimal token with limited scopes, and audit the coordinator/manifest behavior.
If you're not comfortable auditing Python services or network-exposed APIs, run this only in a sandbox (container/VM) and do not enable remote access or reuse production credentials. The codebase appears to be a legitimate Kiwi Voice implementation, but the metadata omissions, embedded default token, and prompt-injection content make it risky to deploy without review.runpod/qwen_tts/core/tokenizer_25hz/vq/whisper_encoder.py:111
Dynamic code execution detected.
CLAUDE.md:185
Prompt-injection style instruction pattern detected.
docs/features/souls.md:17
Prompt-injection style instruction pattern detected.
Patterns worth reviewing
These patterns may indicate risky behavior. Check the VirusTotal and OpenClaw results above for context-aware analysis before installing.Like a lobster shell, security has layers — review code before you run it.
latestvk9755wsb4ndp8et9dy7xp2bk99835r9n
License
MIT-0
Free to use, modify, and redistribute. No attribution required.