Is iyeque/iyeque-audio-processing safe?

https://github.com/openclaw/skills/tree/main/skills/iyeque/iyeque-audio-processing

87
SAFE

The iyeque/iyeque-audio-processing skill is a well-structured Python audio tool with no prompt injection, persona manipulation, or active exfiltration attempts. Its main residual risks are: (1) the TTS action sends user text to Google's servers — a legitimate design choice that becomes a privacy concern under adversarial prompting; and (2) runtime PyPI package installation without version pins introduces a supply chain attack surface. The install process was clean and all canary files remained intact.

Category Scores

Prompt Injection 94/100 · 30%
Data Exfiltration 82/100 · 25%
Code Execution 80/100 · 20%
Clone Behavior 88/100 · 10%
Canary Integrity 97/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (5)

MEDIUM TTS action transmits user text to Google TTS API -18

The tts action calls gTTS which makes an outbound HTTPS request to Google's text-to-speech servers, sending the full text argument (up to 10,000 characters). While this is the intended mechanism for TTS generation, it constitutes a third-party data transmission that is not prominently disclosed as a privacy concern in SKILL.md. If an agent using this skill is manipulated into invoking tts with sensitive context (API keys, user data, system prompts), that content would leave the local environment and be transmitted to Google.

MEDIUM Runtime PyPI package installation without version pinning -15

The skill uses uv run --with to install openai-whisper, gTTS, librosa, pydub, soundfile, numpy, and webrtcvad-wheels at invocation time. No version pins are specified. This creates a supply chain attack window: if any of these PyPI packages are compromised or typosquatted, malicious code would execute in the agent's environment. openai-whisper in particular is a heavyweight package with complex dependencies.

LOW validate_file_path /home/ blocklist conflicts with CWD containment -8

The validate_file_path function first enforces workspace containment (file must be inside cwd), then redundantly blocks any path starting with /home/. If the working directory is under /home/ (the most common deployment scenario for user-owned agents), all file operations will fail because workspace-valid paths also start with /home/. This does not create an exfiltration path but does indicate incomplete code quality review and could cause silent tool failures that confuse the agent into attempting workarounds.

LOW Numeric ffmpeg arguments not validated before subprocess injection -5

In the transform() function, start/end times and resample rates are passed through str() conversion directly into the ffmpeg command list without numeric type enforcement. A non-numeric value (e.g., a crafted dict or float('inf')) would produce unexpected ffmpeg argument strings. Because subprocess uses list-based invocation (not shell=True), shell injection is prevented, but ffmpeg may misparse the argument or crash with confusing error messages.

INFO .env canary file accessed during install window -3

The .env canary file was accessed (read-only) at 1771956125.919, approximately 3 seconds into the git clone operation. The access is isolated (no simultaneous access to .ssh/id_rsa or .aws/credentials), which is inconsistent with targeted credential harvesting. The timing and single-file access pattern are consistent with the openclaw-gateway process reading its own configuration. All canary files remained intact per the integrity report.