Security Audit

webchat-audio-notifications

github.com/openclaw/skills

AI SkillCommit 13146e6a3d46

TRUSTED

Scanned about 1 month ago

Critical

Immediate action required

High

Priority fixes suggested

Medium

Best practices review

Low

Acknowledged / Tracked

Trust Assessment

webchat-audio-notifications received a trust score of 97/100, placing it in the Trusted category. This skill has passed all critical security checks and demonstrates strong security practices.

SkillShield's automated analysis identified 1 finding: 0 critical, 0 high, 0 medium, and 1 low severity. Key findings include Misleading security claim regarding external requests.

The analysis covered 4 layers: Manifest Analysis, Static Code Analysis, Dependency Graph, LLM Behavioral Safety. All layers scored 70 or above, reflecting consistent security practices.

Last analyzed on February 14, 2026 (commit 13146e6a). SkillShield performs automated 4-layer security analysis on AI skills and MCP servers.

Layer Breakdown

Manifest Analysis

100%

Static Code Analysis

100%

Dependency Graph

100%

LLM Behavioral Safety

98%

Behavioral Risk Signals

Network Access

1 finding

Filesystem Write

1 finding

Security Findings1

Severity	Finding	Layer	Location
LOW	Misleading security claim regarding external requests The `SKILL.md` documentation explicitly states "No external requests" under the "Security" section. However, the `client/notification.js` file includes an `uploadCustomSound` method that, if the `customSoundUploadUrl` option is configured, will perform a `fetch` POST request to send user-provided audio data (as a `dataUrl`). This contradicts the documentation and introduces a potential data exfiltration vector if the skill integrator configures `customSoundUploadUrl` to a malicious or unintended endpoint. While this requires explicit configuration and user action, the misleading documentation could lead to incorrect security assumptions by integrators. Update the `SKILL.md` documentation to accurately reflect the skill's network capabilities, specifically mentioning the `uploadCustomSound` feature and its configurable endpoint. Alternatively, remove the `customSoundUploadUrl` option and associated functionality if external requests are truly not intended. Ensure that if the feature remains, the `customSoundUploadUrl` is validated and defaults to a safe, non-functional value.	LLM	SKILL.md:190

Scan History

Embed Code

[![SkillShield](https://skillshield.io/api/v1/badge/badd82088747c373.svg)](https://skillshield.io/report/badd82088747c373)