Voice
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: voice Version: 1.0.1 The skill is classified as suspicious due to a critical command injection vulnerability in the `playAudio` function within `index.js`. Specifically, when playing audio on Windows, the `filePath` parameter is directly embedded into a PowerShell command string without sufficient sanitization, allowing for arbitrary command execution if a malicious `filePath` is provided. The `SKILL.md` and `README.md` explicitly document the `play` action with a user-controlled `filePath`, making this vulnerability easily exploitable by a malicious agent or user.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted text or option value could execute unintended local commands under the agent user's account instead of only generating speech.
The skill builds a shell command from user-provided text and options, including output path, voice, rate, volume, and pitch. Only double quotes in text are partially escaped, while other shell metacharacters and option values are not validated or passed as safe argument arrays.
const cmd = [ 'edge-tts', '--text', ..., '--write-media', outputFileName, '--voice', voice, '--rate', rate, '--volume', volume, '--pitch', pitch ].join(' '); ... await execAsync(cmd);Replace exec with execFile/spawn using an argument array, validate voice/rate/volume/pitch with strict allowlists, and constrain output paths to the skill's temp directory.
On Windows, a specially crafted file path could alter the PowerShell command used for playback.
The play action accepts params.filePath and embeds it into a PowerShell command string. Even though spawn is used, PowerShell still interprets the supplied script string.
player = 'powershell'; playerArgs = ['-c', `(New-Object Media.SoundPlayer ...${filePath}...).PlaySync();`];Avoid building PowerShell script strings from file paths; use a safer playback API or pass paths via non-interpreted parameters with strict validation.
Installing the skill dependency may download and run package code from the Python package ecosystem.
The skill can install an external Python package at runtime. This is disclosed in the docs and aligned with the TTS purpose, but it is not pinned to a specific version and the registry install spec is empty.
await execAsync('pip3 install edge-tts');Review the edge-tts package source/provenance, pin a known-good version, and prefer a declared install spec over an ad hoc install action.
Sensitive text provided for speech may be handled by the TTS provider/tool rather than staying only in the agent's local prompt.
The text to be spoken is processed through the Edge TTS engine/tool. This is central to the skill and disclosed, but it means users should consider where sensitive text is processed.
Text-to-speech conversion using Microsoft Edge's TTS engine
Do not send secrets or private content to TTS unless you are comfortable with the provider/tool processing it; document the data flow clearly.
A cleanup request could remove unrelated old audio files if they are stored in the same temp directory.
The cleanup action deletes any old mp3, wav, or ogg file in the temp directory, not only files with the skill's tts_ prefix.
const files = fs.readdirSync(tempDir); ... file.match(/\.(mp3|wav|ogg)$/) ... fs.unlinkSync(filePath);
Limit cleanup to files created by this skill, such as a dedicated subdirectory or a strict filename prefix.