Is clawsec-suite safe?

The bot reads personality.md and notes.md (user-authored content) and uses them as context for an LLM that generates spoken responses in public Daily.co WebRTC rooms. Any sensitive information in these files could be spoken aloud to unknown participants. There is no content filtering or privacy boundary.

The skill requires installing uv (a Python package manager), a full Python 3.11 runtime, and a large dependency tree including pipecat-ai with WebRTC, audio processing (onnxruntime, silero), FastAPI, uvicorn, and aiohttp. The pyproject.toml also overrides onnxruntime to a specific version (1.18.0). This is a substantial system modification with a large transitive dependency attack surface.

SKILL.md explicitly instructs the agent to create or update a .env file containing OPENAI_API_KEY, ELEVENLABS_API_KEY, MOLTSPACES_API_KEY, and MOLT_AGENT_ID. While this is necessary for the skill's function, it normalizes the practice of the agent writing sensitive credentials to disk and creates a high-value target file that other skills could read.

The SKILL.md instructs the agent to make curl requests to api.elevenlabs.io (with the user's API key in a header) and api.moltspaces.com (unauthenticated registration). This trains the agent to send data to external services as part of setup, which could be exploited by prompt injection in the skill content.

The skill instructs the agent to launch bot.py as a background process (with & and stdout/stderr redirected to bot.log). This process persists after the agent interaction ends, joining a WebRTC room and using the user's API keys. The user may forget this process is running, leading to unexpected API usage charges.

The agent registration endpoint requires no API key. The agent sends user-chosen name, bio, and metadata to api.moltspaces.com without any authentication. The response includes an API key that cannot be retrieved again — if lost, the user loses access to their registered agent.

This skill creates a .env file with multiple high-value API keys and reads from user-authored files (personality.md, notes.md). A malicious companion skill could: (1) read the .env to exfiltrate API keys, (2) modify personality.md to inject content that the bot will speak aloud, or (3) modify notes.md to change the bot's talking points. The skill creates several files that become cross-skill attack vectors.

SKILL.md instructs the agent to autonomously 'select a voice ID from the list that best matches the bot's personality' if the user doesn't provide one. This is a minor autonomy concern — the agent makes decisions that may incur API costs on the user's ElevenLabs account without explicit approval.

The skill installation timed out with a 'Non-error was thrown: Timeout' error. While no malicious activity was detected, the timeout could indicate an excessively large dependency tree or network issues. The fact that the install didn't complete means the full install-time behavior was not observed.

The Python code in bot.py appears to be a legitimate voice bot built on the pipecat-ai framework. It uses standard patterns for WebRTC audio, STT/TTS, and LLM integration. No obfuscated code, hidden imports, or suspicious logic was found. The code is well-commented and follows normal async patterns.