Security Audit

voicemonkey

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned 2 months ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

voicemonkey received a trust score of 80/100, placing it in the Mostly Trusted category. This skill has passed most security checks with only minor considerations noted.

SkillShield's automated analysis identified 2 findings: 0 critical, 1 high, 1 medium, and 0 low severity. Key findings include Sensitive path access: AI agent config, Insecure API token handling in example GET request.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 13, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

85%

Dependency Graph

100%

LLM Behavioral Safety

93%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

1 finding

Shell Execution

1 finding

Excessive Permissions

2 findings

Security Findings2

Severity	Finding	Layer	Location
HIGH	Sensitive path access: AI agent config Access to AI agent config path detected: '~/.clawdbot/'. This may indicate credential theft. Verify that access to this sensitive path is justified and declared.	Static	skills/jayakumark/voicemonkey/SKILL.md:13
MEDIUM	Insecure API token handling in example GET request The skill documentation provides a `curl` example for the 'Basic TTS Announcement' that includes the `VOICEMONKEY_TOKEN` directly in the URL's query parameters. Transmitting sensitive tokens via URL query parameters is less secure than using an `Authorization` header, as these parameters can be logged in web server access logs, proxy logs, and browser histories, increasing the risk of token exposure. Although the documentation also provides and recommends a more secure POST example using an `Authorization` header, the presence of the insecure GET example could lead to accidental misuse by users or automated agents. Remove the example that passes the `VOICEMONKEY_TOKEN` as a URL query parameter. Only provide examples that use the `Authorization` header for passing the token. Consider adding an explicit warning against using tokens in URLs.	LLM	SKILL.md:41

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/30e560aea728e64e.svg)](https://skillshield.io/report/30e560aea728e64e)