Pluginv1.2.0

ClawScan security

macOS Voice Messages · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignApr 28, 2026, 4:29 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The plugin's code, README, and runtime instructions are consistent with a macOS-local TTS/STT provider that uses a local CLI (voicecli) and ffmpeg; no unexpected network endpoints, secrets, or broad privileges are requested — but there are a few small inconsistencies and a logic bug you should be aware of before installing.
Guidance: This plugin appears to do what it says: local macOS TTS and STT via the voicecli CLI and optional ffmpeg conversion. Before installing: 1) Confirm you're on macOS 13+ and install voicecli (and ffmpeg if you want OGG/Opus output) using the SKILL.md brew commands; 2) Run the first-time setup steps to trigger macOS Microphone and Speech permissions; 3) Be aware of a logic bug in src/dist: the code's getVoiceCliPath() design causes isConfigured() to return true even when voicecli isn't actually present (it falls back to the literal 'voicecli' string). In practice this can make the plugin appear 'available' when the required CLI is missing; verify voicecli is on PATH or at the expected Homebrew path after installation; 4) Temporary audio/text files are written to a configurable tempDir (default under system tmp); if you have security concerns set tempDir to a location you control and monitor cleanup; 5) The repository's CI/release workflows reference standard CI tokens (GITHUB_TOKEN, NPM_TOKEN, CLAWHUB_TOKEN) — these are for publishing and are not used at runtime. If you trust the voicecli project and intend to run local speech features on macOS, this plugin is coherent and reasonable to use. If you want extra assurance, inspect the voicecli binary/source you install and verify that it does not send audio or text to remote services.

Review Dimensions

Purpose & Capability: noteThe skill claims to provide macOS on-device TTS/STT via voicecli and the code implements exactly that (execFile calls to voicecli and optional ffmpeg, temp file I/O). One minor inconsistency: the top-level registry metadata reported 'required binaries: none', but the packaged manifest (openclaw.plugin.json) and the SKILL.md both require the voicecli CLI (and optionally ffmpeg). This is likely a metadata omission in the registry entry rather than functional maliciousness.
Instruction Scope: okSKILL.md instructs the agent and the admin to install voicecli and ffmpeg via Homebrew, grant macOS Speech/Microphone permissions, and add OpenClaw config entries. The runtime code uses only those local tools, writes/reads temporary audio/text files in a configurable temp directory, and returns transcription/synthesized audio. There are no instructions or code paths that read unrelated secrets, traverse other system config, or send data to external endpoints.
Install Mechanism: okThere is no remote download/extract install step in the plugin; the package is normal Node code with build artifacts in dist/. The SKILL.md asks the user to install voicecli/ffmpeg via Homebrew (trusted package manager). The repository contains CI scripts that publish to npm/ClawHub (which use normal CI tokens) but these are standard and not part of runtime installation.
Credentials: okThe plugin does not request environment variables or credentials for unrelated services. The package-lock includes many dev/transitive dependencies (including cloud SDKs) as dev-time artifacts, but the runtime code does not use networked cloud credentials. No secrets are required or read at runtime.
Persistence & Privilege: okThe plugin does not request 'always: true' or similar elevated persistence. It registers itself as a provider normally and only performs file I/O in a configurable temp directory. It does not modify other skills' config or system-wide settings beyond the OpenClaw configuration the SKILL.md asks you to edit.