Is clawdtalk-client safe?

External callers' speech is transcribed and fed directly into the agent as user-role messages with full tool access. Anyone who calls the ClawdTalk number can issue voice commands to the agent, potentially overriding user instructions or triggering sensitive tool executions. The voice context explicitly grants 'FULL tool access: Slack messaging, web search, etc.' to the voice session.

Every voice transcription, agent response, tool execution result, and SMS message flows through the clawdtalk.com WebSocket server. The service operator has full visibility into potentially sensitive agent interactions including tool results that may contain private data, credentials, or confidential information from Slack, memory, or file reads.

The DEFAULT_VOICE_CONTEXT system prompt instructs the agent to 'NEVER output raw JSON, function calls, or code', effectively suppressing transparency about what tools are being invoked. Combined with 'drip progress updates' that are intentionally brief, this makes it harder for users reviewing logs to understand what actions the agent took during voice calls.

The skill reads environment files from multiple locations and extracts API keys, gateway tokens, and other secrets. While this is functionally necessary, the credentials are then used in HTTP requests to the external clawdtalk.com server, creating a trust dependency on that service not being compromised.

ws-client.js ensureDeps() runs execSync('npm install ws@8') if the ws module is not found. While the package.json only declares ws as a dependency, if the package-lock.json were tampered with (e.g., via a supply chain attack), this could install malicious packages with postinstall hooks.

Voice callers can request actions that trigger tool calls via the gateway. The agent loop executes tools returned by the LLM without user confirmation, and external callers can influence which tools are called through their spoken instructions. This creates an indirect code execution path from the phone network.

Incoming SMS messages are routed to the main agent session with a prefix but no sanitization. An attacker who knows the ClawdTalk number can send crafted SMS messages that attempt to manipulate the agent.

Filesystem monitoring detected the skill reading /home/oc-exec/.aws/credentials during installation. A voice/SMS communication skill should have no need to access AWS credentials. This may be an artifact of the gateway startup process rather than the skill itself, but it warrants attention.

The server URL is configurable in skill-config.json and can be overridden via --server flag. If an attacker modifies the config file, all API keys and communication would be redirected to an attacker-controlled server.

connect.sh directly sources .env files using the dot operator ('. $HOME/.openclaw/.env'), which executes any shell commands embedded in those files rather than just setting variables. While these are typically user-controlled files, a compromised .env could lead to arbitrary code execution.

The skill reads USER.md and IDENTITY.md to auto-detect owner and agent names, injecting them into the voice context. While convenient, this means the voice session includes personal identity information that external callers could potentially elicit through social engineering.