Is koto9x/discord-voice-memo-upgrade safe?

https://github.com/openclaw/skills/tree/main/skills/koto9x/discord-voice-memo-upgrade

87
SAFE

This skill provides a legitimate bug fix for Clawdbot's TTS voice memo pipeline, addressing a real issue where block streaming prevents final payloads from reaching the TTS synthesis stage. No malicious code, prompt injection patterns, active exfiltration, or unexpected network behavior was detected during installation. The primary concerns are security hygiene issues: the patch logs partial API key fragments and message body content to stdout, installation overwrites compiled npm global module binaries with large full-file replacements that are difficult to audit for scope, and the SKILL.md contains shell commands that could be executed by an agentic AI without user awareness.

Category Scores

Prompt Injection 93/100 · 30%
Data Exfiltration 78/100 · 25%
Code Execution 83/100 · 20%
Clone Behavior 92/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 78/100 · 5%

Findings (8)

MEDIUM Partial API Key Logged to Console -12

The TTS patch logs the first 8 characters of the configured ElevenLabs API key to stdout in every TTS synthesis call. While not complete exfiltration, this embeds credential fragments in application logs which may be captured by log aggregation systems, crash reporters, or accessible to unauthorized parties with log access.

MEDIUM Full Dist File Replacement Instead of Minimal Diff -12

The patch/ directory contains complete replacements for clawdbot's compiled distribution files rather than targeted code diffs. The stated changes are ~15 lines in each file, but the replacement files are hundreds of lines. This makes it infeasible to confirm that only the documented TTS fix changes are present without exhaustive line-by-line comparison against the original clawdbot release.

LOW Inbound Message Body Logged in Debug Output -10

The patched dispatch-from-config.js emits the first 80 characters of every inbound message body to console as part of TTS detection debug logging. This could expose private user conversations in application logs.

LOW TTS API Endpoint Overridable via Environment Variable -8

The patched tts.js reads OPENAI_TTS_BASE_URL from the environment, allowing all OpenAI TTS API calls (including text content and Bearer token) to be redirected to an arbitrary server. This is documented as intentional for local LLM support but creates a configuration-level MITM vector.

LOW SKILL.md Contains Executable Shell Commands in Agentic Context -7

SKILL.md includes multi-step bash installation sequences that identify and overwrite npm global module files. If an AI agent with shell tool access reads and executes this documentation as instructions, it could modify core application binaries without explicit user authorization.

LOW Installation Modifies npm Global Module Binaries -5

The prescribed installation overwrites compiled JavaScript files inside the globally installed clawdbot npm package. Changes survive npm updates only until the next clawdbot upgrade, and no mechanism exists to verify patch integrity after application.

INFO Author Environment Metadata Inadvertently Included 0

.clawhub/lock.json from the author's local development environment was committed into the skill package, revealing another skill ('academic-research-hub' v0.1.0) installed in the author's clawdbot instance. UPLOAD.md also reveals the author's local filesystem path. Neither is malicious but reflects careless packaging hygiene.

INFO Standard Expected Installation Behavior 0

Installation cloned the openclaw/skills monorepo from GitHub, performed a sparse checkout of the target subpath, copied files to the skill directory, and cleaned up the temporary clone. All network activity (GitHub IPs, DNS) is consistent with expected behavior. No unexpected process spawning or filesystem changes outside the skill directory observed.