Security Audit

voice

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

CRITICAL

Scanned 3 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

voice received a trust score of 18/100, placing it in the Untrusted category. This skill has significant security findings that require attention before use in production.

SkillShield's automated analysis identified 7 findings: 2 critical, 1 high, 3 medium, and 1 low severity. Key findings include Arbitrary command execution, Missing required field: name, Unpinned npm dependency version.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. The LLM Behavioral Safety layer scored lowest at 48/100, indicating areas for improvement.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

70%

Static Code Analysis

93%

Dependency Graph

91%

LLM Behavioral Safety

48%

Behavioral Risk Signals

Filesystem Write

2 findings

Shell Execution

4 findings

Dynamic Code

2 findings

Security Findings7

Severity	Finding	Layer	Location
CRITICAL	Arbitrary command execution Node.js child_process require Review all shell execution calls. Ensure commands are static (not built from user input), use absolute paths, and are strictly necessary. Prefer library APIs over shell commands.	Manifest	skills/zhaov1976/voice/index.js:3
CRITICAL	Unsanitized TTS options lead to command injection The `textToSpeech` function constructs a shell command using `edge-tts`. The `voice`, `rate`, `volume`, and `pitch` parameters are directly concatenated into this command string without proper shell escaping. An attacker providing malicious input for these options (e.g., `voice: 'en-US-Wavenet-F"; rm -rf /;'`) could execute arbitrary commands on the host system. While the `text` parameter is somewhat escaped, the options are not, creating a critical command injection vulnerability. Refactor the `textToSpeech` function to use `child_process.spawn` with an array of arguments instead of `child_process.exec` with a single command string. This prevents shell interpretation of arguments. If `exec` must be used, meticulously escape each parameter using a robust shell escaping library appropriate for the target OS, ensuring all metacharacters are neutralized.	LLM	index.js:48
HIGH	Unsanitized `filePath` in `playAudio` leads to command injection The `playAudio` function uses `child_process.spawn` to play an audio file. The `filePath` parameter, which can be controlled by the user via the `play` action, is directly passed as an argument to system-specific audio players (`afplay`, `powershell`, `aplay`). If `filePath` contains shell metacharacters (e.g., `"; rm -rf /;"` or PowerShell-specific injection characters), an attacker could execute arbitrary commands on the host system. Strictly validate `filePath` to ensure it refers to a safe, local file path. If `filePath` is user-provided, it must be sanitized or validated against a whitelist of allowed characters/patterns. For PowerShell, ensure proper escaping of the `filePath` within the `-c` argument. Consider using a dedicated, cross-platform audio playback library that does not rely on shelling out to system players with user-controlled paths.	LLM	index.js:95
MEDIUM	Missing required field: name The 'name' field is required for openclaw skills but is missing from frontmatter. Add a 'name' field to the SKILL.md frontmatter.	Static	skills/zhaov1976/voice/SKILL.md:1
MEDIUM	Unpinned npm dependency version Dependency 'edge-tts' is not pinned to an exact version ('^1.0.0'). Pin dependencies to exact versions to reduce drift and supply-chain risk.	Dependencies	skills/zhaov1976/voice/package.json
MEDIUM	Conflicting and unpinned `edge-tts` dependency The `package.json` lists `edge-tts: ^1.0.0` as a JavaScript dependency, while the skill's core logic (`index.js`) and documentation (`SKILL.md`, `skill.json`) explicitly refer to the Python `edge-tts` library, which is installed via `pip3`. This discrepancy can lead to confusion and potentially the installation of an unrelated or malicious JavaScript package if `npm install` is run. Furthermore, the `pip3 install edge-tts` command in `installDependencies` uses an unpinned version, meaning it will always install the latest version. If a malicious update is pushed to the PyPI `edge-tts` package, it could compromise the system. 1. Remove the `edge-tts` dependency from `package.json` if it is not a JavaScript dependency actively used by the skill. 2. Pin the Python `edge-tts` dependency to a specific, known-good version (e.g., `pip3 install edge-tts==X.Y.Z`) to prevent unexpected or malicious updates. 3. Clearly document the Python dependency and its installation method in `SKILL.md`.	LLM	package.json:10
LOW	Node lockfile missing package.json is present but no lockfile was found (package-lock.json, pnpm-lock.yaml, or yarn.lock). Commit a lockfile for deterministic dependency resolution.	Dependencies	skills/zhaov1976/voice/package.json

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/4c432ca13b638683.svg)](https://skillshield.io/report/4c432ca13b638683)