Voice Memo
PassAudited by VirusTotal on May 11, 2026.
Overview
Type: OpenClaw Skill Name: voice-memo Version: 1.0.0 The `SKILL.md` file instructs the OpenClaw agent to execute a local `node` script (`scripts/voice_memo.js`) with arguments (`--content`, `--summary`, `--topics`, `--decisions`, `--action_items`) that are derived from user-provided text after agent analysis. While the stated purpose is benign, the direct execution of a shell command with dynamically constructed arguments from user input (even after agent processing) introduces a significant vulnerability risk for command injection or RCE if the agent's command construction or the script's argument parsing is flawed. This represents a risky capability without clear malicious intent, classifying it as suspicious.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could create recurring threads or reminders beyond a single user request, potentially in an unintended chat or workspace.
This instructs recurring autonomous activity: creating a daily thread and sending nightly reminders. The artifact does not specify user opt-in, destination, scheduling mechanism, or how to disable it.
毎朝8時にボイスメモスレッドを作成... 毎晩21時にメモ未記録なら リマインダーを送信。
Require explicit user setup for any schedule, clearly name the destination, provide a disable command, and ask for confirmation before sending recurring messages.
The skill may not work as packaged, or it may depend on local code outside the reviewed artifacts.
The core workflow depends on a local script, but the supplied file manifest contains only SKILL.md and no script implementation, so reviewers cannot see where memo data is stored or what the script does.
"requires": { "scripts": ["scripts/voice_memo.js"] } ... node scripts/voice_memo.js addInclude the referenced script in the skill package or update the documentation to explain the external dependency and its provenance.
Voice memos may contain sensitive personal or business information that will be saved for search and listing.
The skill is designed to store transcribed voice memo text and derived summaries, decisions, topics, and action items for later retrieval.
文字起こしテキストの保存、要約・キーワード抽出、検索
Tell users where memo data is stored, how long it is retained, how to delete it, and whether stored content is reused across future tasks.