Is fiberian1981/telegram-voice-to-voice-macos safe?
https://github.com/openclaw/skills/tree/main/skills/fiberian1981/telegram-voice-to-voice-macos
The telegram-voice-to-voice-macos skill is a narrowly scoped macOS TTS/transcription integration that behaves as advertised: it transcribes inbound Telegram .ogg files with yap and replies with a voice note generated via say and ffmpeg. No prompt injection, persona hijacking, hidden data exfiltration, or unauthorized network activity was detected, and all canary honeypot credentials remain intact. The sole notable concern is an undeclared 'academic-research-hub' entry in the bundled .clawhub/lock.json, which appears to be a workspace artifact from the author's development environment rather than an intentional dependency, but should be verified before installation.
Category Scores
Findings (5)
MEDIUM Undeclared Foreign Skill Reference in Bundled .clawhub/lock.json -12 ▶
The skill ships a .clawhub/lock.json that declares 'academic-research-hub' v0.1.0 (installedAt: 1770957475341) as an installed skill. This secondary skill has no documented relationship to Telegram voice processing and is absent from SKILL.md and README.md. If the OpenClaw runtime processes .clawhub/lock.json from installed skill directories to resolve transitive skill dependencies, this entry would trigger a silent installation of academic-research-hub without user awareness. The install output confirms only one skill was installed in this audit run, suggesting OpenClaw does not currently auto-process bundled lock files; the entry is most likely the author's local workspace state captured at publish time. However, this cannot be confirmed without inspecting the OpenClaw installer, and the reference is undocumented.
LOW Argument Injection Risk via Unsanitized Telegram Message Content Passed to say -8 ▶
tts_telegram_voice.sh receives reply text as $1 and passes it to macOS say as say -o "${AIFF}" "${TEXT}". Quoting prevents shell metacharacter injection, but if a crafted inbound Telegram message begins with '--' (e.g., '--quality=9'), it will be interpreted as a flag by say rather than as literal text. The practical harm is limited since say's flag set is benign, but the pattern of passing unvalidated external content as command arguments is a structural weakness that could be more dangerous if the underlying binary changes or if yap has richer flag semantics.
LOW Unvalidated OGG_PATH Argument Permits Arbitrary File Read via yap -10 ▶
transcribe_telegram_ogg.sh accepts a caller-supplied path as $1 and passes it directly to yap transcribe without validating that the path falls within ~/.openclaw/media/inbound/. An adversarial Telegram message processed by the agent could, in theory, convince the agent to invoke the script with a path pointing to a sensitive file (e.g., ~/.ssh/id_rsa). yap would likely reject or silently fail on non-audio content, making successful exfiltration via this vector improbable, but the missing path guard is a defense-in-depth gap.
INFO macOS-Only Skill Lacks Runtime Platform Gate in Agent Instructions -3 ▶
The skill's frontmatter declares os:[darwin] and the README explicitly states Linux/Windows will fail at runtime, but SKILL.md contains no instruction for the agent to verify the platform before attempting execution. On a non-macOS host the agent will invoke say, yap, and defaults, receive command-not-found errors, and may enter a confusing retry loop rather than issuing a clear platform-unsupported message to the user.
INFO Predictable Temporary Filename Using Low-Entropy Timestamp and $RANDOM -2 ▶
tts_telegram_voice.sh generates AIFF and OGG filenames using TS="$(date +%s)-${RANDOM}" in ~/.openclaw/workspace/voice_out/. On systems where $RANDOM range (0–32767) is predictable or where multiple concurrent requests are possible, a local attacker with write access to that directory could pre-create a symlink to redirect output to an arbitrary path. Exploitable only in an already-compromised local environment.