ClawHub

Voice Chat Bridge

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims, but it enables always-on voice-message processing and automatic chat replies without enough scoping or privacy controls.

Install only if you want an automatic voice-message responder. Before enabling the SOUL.md trigger, restrict it to trusted chats or users, decide whether Edge TTS and the active LLM provider may receive sensitive text, suppress transcript/reply logging where possible, and use pinned dependencies and verified model downloads.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares no permissions even though its documented behavior requires shell execution, environment access, and outbound network use. This creates a transparency and consent problem: users and reviewers cannot accurately assess the skill's capabilities, and the undeclared network/shell access increases the risk of unexpected data exposure or misuse if the skill is installed or auto-triggered.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented behavior does not fully match the actual capabilities described by analysis, including use of an external session-level LLM/context service and platform-specific handling not disclosed in the skill description. Behavior/description mismatch is dangerous because it defeats informed trust boundaries: a user may believe the skill only processes local audio, while it may also transmit transcript and conversation context externally or operate in broader contexts than advertised.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The design explicitly enables automatic download, transcription, and reply for voice messages across Telegram and Feishu, but it does not document consent, retention, disclosure, or handling boundaries for potentially sensitive audio content. Because voice messages often contain personal or confidential information and may be sent to local and remote STT/TTS components, the absence of privacy controls and user-facing notice creates a real privacy and compliance risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README states that voice messages are automatically processed and that Edge TTS may be used, but it does not clearly warn that user audio/transcripts may be sent to external services or require explicit user consent. In a messaging skill that auto-activates on received voice/audio, this creates a real privacy and compliance risk because sensitive user content can be transmitted off-device without notice.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill omits a clear warning that generated replies and potentially sensitive derived content are sent to a cloud TTS provider. In a voice/chat workflow, transcripts and context can contain private or regulated information, so undisclosed third-party transmission creates privacy, compliance, and data-handling risk, especially when activation is automatic on incoming audio.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill forwards full transcribed speech to another agent/LLM process without any consent, minimization, or disclosure. Spoken audio often contains sensitive personal or business information, so silent forwarding increases privacy and data-handling risk, especially because the content is combined with session context.

Ssd 3

Medium
Confidence
97% confidence
Finding
The code logs the full transcript and reply and returns the transcript in the JSON output, creating multiple exposure paths for potentially sensitive spoken content. Logs, stdout capture, and downstream consumers may retain or disclose this data beyond the original voice interaction.

Ssd 3

Medium
Confidence
87% confidence
Finding
The default reply template repeats the full transcribed speech back into the generated response, which can unnecessarily disclose sensitive spoken content in downstream channels, logs, notifications, or shared chat contexts. In a voice-processing skill that auto-activates on incoming audio, this increases the chance of propagating private data without explicit user confirmation.

Unpinned Dependencies

Low
Category
Supply Chain
Content
pyttsx3>=2.90

# Configuration
pydantic>=2.6.0
pydantic-settings>=2.0.0
python-dotenv>=1.0.0
Confidence
89% confidence
Finding
pydantic>=2.6.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
# Configuration
pydantic>=2.6.0
pydantic-settings>=2.0.0
python-dotenv>=1.0.0

# Audio Processing
numpy>=1.21.0
Confidence
78% confidence
Finding
python-dotenv>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
python-dotenv>=1.0.0

# Audio Processing
numpy>=1.21.0

# Optional (for future extensions)
requests>=2.31.0
Confidence
72% confidence
Finding
numpy>=1.21.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
numpy>=1.21.0

# Optional (for future extensions)
requests>=2.31.0
# aiohttp>=3.9.0
Confidence
82% confidence
Finding
requests>=2.31.0

Known Vulnerable Dependency: pydantic — 3 advisory(ies): CVE-2021-29510 (Use of "infinity" as an input to datetime and date fields causes infinite loop i); CVE-2024-3772 (Pydantic regular expression denial of service); CVE-2021-29510 (Pydantic is a data validation and settings management using Python type hinting.)

High
Category
Supply Chain
Confidence
91% confidence
Finding
pydantic

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low
Category
Supply Chain
Confidence
61% confidence
Finding
python-dotenv

Known Vulnerable Dependency: requests — 10 advisory(ies): CVE-2014-1830 (Exposure of Sensitive Information to an Unauthorized Actor in Requests); CVE-2024-47081 (Requests vulnerable to .netrc credentials leak via malicious URLs); CVE-2024-35195 (Requests `Session` object does not verify requests after making first request wi) +7 more

High
Category
Supply Chain
Confidence
84% confidence
Finding
requests

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal