Oasis Audio

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned audio generation, but it reads sensitive local history/profile data and can send derived personal details to a third-party API with incomplete per-run user control.

Install only if you are comfortable with the skill reading your OpenClaw/QClaw session history, memory notes, and USER.md to personalize audio. Use dry-run or preview before sending, avoid debug mode for private content, and enable audit logging only if you intentionally want sent prompts saved locally.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (9)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill exercises file read, file write, and network capabilities, but those permissions are not formally declared in a machine-enforceable way despite the behavior being described narratively. This weakens policy enforcement and informed consent because a host may not be able to gate or sandbox the skill correctly, especially given it reads local history, may persist consent state, and can write audit data.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 91% confidence
Finding: The skill description emphasizes local-only processing and limited external transmission, but the documented behavior also includes local persistence of consent state, optional audit logging of outbound prompts, and status querying that may expose result URLs. Even if not overtly malicious, this mismatch can mislead users and reviewers about retention and disclosure paths for sensitive prompt content.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The code reads daily memory files and extracts data from USER.md, then returns both in the output object for downstream use. That materially expands the data available for external transmission and conflicts with the skill description's privacy expectations, creating a real risk of unintended disclosure of personal history and profile data.

Intent-Code Divergence

Low

Confidence: 84% confidence
Finding: The docstring says only structured fields are extracted to minimize leakage, but the implementation also captures a free-form notes/preferences field. Free-form notes are much more likely to contain sensitive personal details than tightly scoped structured attributes, so this undermines the stated minimization control.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The consent notice promises that sensitive outgoing text will not be written to audit.log until explicit confirmation, but the implementation only blocks send/logging when heuristic or phone-based detections set needs_confirmation. Content matching ALWAYS_REDACT_PATTERNS is merely redacted and can still be written to the local audit log if --audit is enabled, creating a privacy/consent mismatch and possible retention of sensitive prompt content that users were told would not be logged.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The collector aggregates conversation fragments, memories, and profile data automatically and emits them as plain JSON without any built-in consent prompt, warning, or sensitivity classification. In a skill whose purpose is generating personalized audio via an external API, this makes silent overcollection and onward disclosure more likely.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: The script’s debug mode logs full request parameters and response bodies for calls to the external xplai API. Even though this status call appears to use only an audio/video ID, responses may include titles, subjects, URLs, queue metadata, or error details that could expose user-associated content in terminal logs, CI logs, or support artifacts. In the context of an audio-generation skill handling potentially sensitive personal material, this increases privacy risk.

Ssd 3

High

Confidence: 96% confidence
Finding: The returned JSON includes raw user conversation fragments, daily memories, and profile notes in human-readable form, enabling broad exposure of sensitive personal information to any downstream component that consumes the collector output. Because this skill is designed to build prompts for an external narration service, the skill context increases the danger: personal reflections, mental state, and life events are especially sensitive in this use case.

Context Leakage

High

Category: Data Exfiltration
Content: Output: Audio ID for status polling. Format: MP3, single-narrator monologue with BGM, 8-20 min, ~4-5 min generation time. ### 2. Collect Context — `context_collector.py` ```bash python3 context_collector.py --source-tool <qclaw|openclaw> --keywords "kw1,kw2" --days <N> --max-results 20
Confidence: 88% confidence
Finding: Collect Context

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal