ClawHub

Voice UI

Security checks across malware telemetry and agentic risk

Overview

This is a real voice assistant UI, but it exposes broad local agent, file, Git, and credential-related authority with too little scoping or user confirmation.

Install only in an isolated workspace with a disposable or tightly limited API key. Treat spoken prompts as capable of changing files and creating commits, review diffs before keeping changes, and avoid running the local server while visiting untrusted sites. Prefer a revised version that keeps provider keys server-side, restricts CORS/origins, adds authentication or localhost protections, and asks before committing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The context explicitly instructs the agent to run `git add -A && git commit` after making UI changes, which expands the skill's behavior from UI editing into repository mutation and history creation. In a self-evolving voice UI, this is more dangerous because user-triggered UI requests can silently cause persistent source-control changes without an explicit confirmation boundary.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The page fetches an API key into browser JavaScript and then uses it directly for OpenAI requests. Any user with DevTools, injected script, browser extension, or XSS foothold can recover and reuse that credential, potentially incurring cost and accessing broader API capabilities than this UI requires.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The server returns the value of OPENAI_API_KEY to any requester at /api/key and also enables Access-Control-Allow-Origin: *, so any website or local client that can reach this service can retrieve the secret. Exposing an API credential completely breaks its confidentiality and can lead to account abuse, unauthorized API usage, billing fraud, and downstream compromise of systems that trust that key.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The startup script automatically reads an OpenAI API key from the user's OpenClaw configuration file and exports it into the process environment without explicit user consent or clear necessity. For a launcher script, silently harvesting credentials from a broader user config expands the skill's access beyond what a voice UI startup path should need and increases the risk of credential misuse or unintended disclosure to the spawned Node process and its dependencies.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file tells the agent to edit a specific local file and then commit the changes, but it does not disclose to the user that this will modify workspace files and create a git commit. Because the skill is framed as a voice assistant UI that can 'improve itself,' users may reasonably interpret requests as cosmetic runtime changes rather than persistent filesystem and repository mutations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly promotes automatic self-modification and automatic Git commits, but does not warn users that spoken or typed prompts may trigger persistent code changes. In a voice-driven interface, this is especially risky because users may not understand that a conversational instruction can alter local code and create commits, increasing the chance of unintended or unsafe changes being saved.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The architecture section states that OpenClaw can use File System, Git, and APIs, but the README does not clearly warn users about the security consequences of granting an agent those capabilities. Because this skill is designed for self-evolution, those capabilities materially increase the risk of unauthorized file changes, source control actions, and external data/API access if the agent is misused or prompt-influenced.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly advertises that spoken commands can trigger automatic code edits and Git commits, but it does not present this as a high-risk capability or warn users that normal conversational input may change files persistently. In a self-modifying UI skill, that omission is dangerous because users may invoke repository-changing actions without understanding the scope, review expectations, or rollback requirements.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states it uses microphone input, Whisper, TTS, and an external model-backed voice agent, but it does not clearly warn that audio and prompts may be transmitted to third-party AI services. This creates a privacy and data-handling risk because users may speak sensitive information without informed consent or understanding of where that data is processed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The app transmits microphone audio, transcribed speech, and assistant text to external services, but the UI does not clearly disclose that off-device processing occurs. This creates a privacy and consent risk because users may believe speech stays local while sensitive content is actually sent to third parties.

Missing User Warnings

High
Confidence
98% confidence
Finding
This code both loads a sensitive API key and exposes it through a network endpoint without authentication or disclosure, making secret theft trivial. In the context of a voice UI, there is no legitimate need for the browser or arbitrary clients to receive the raw provider credential, so the mismatch in stated purpose increases confidence that this is unsafe.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script accesses sensitive API credentials from a user configuration file with no user-facing disclosure, confirmation, or auditability. In a self-evolving voice assistant context, this is more concerning because the launched application may modify itself or invoke networked model operations, so silently injecting an existing credential can enable unexpected billable API use or downstream exfiltration if the application is compromised.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal