voice-reply

clawhub:voice-reply

View source

100/100

First Seen

Feb 18, 2026

Last Scanned

Feb 22, 2026

Findings

Score

100/100

LOW 5

Findings (5)

LOW

Shell script file execution CMDEXEC_013

command-execution L42

Detects execution of shell script files via bash/sh command or direct invocation

./install.sh

FIX

Replace direct shell script execution with a language-native implementation or a sandboxed executor. If shell scripts must run, restrict them to a vetted allowlist with integrity checks.

FP?

Likely FP if the match references running a script that is part of the skill's own repository (e.g., ./setup.sh) with clear, auditable contents.

LOW

Download binary or archive from URL EXTDL_016

external-download L52

Detects downloading binary, archive, or installer files from remote URLs

curl -L -o sherpa.tar.bz2 "https://github.com/k2-fsa/sherpa-onnx/releases/download/v1.12.23/sherpa-onnx-v1.12.23-linux-x64-shared.tar.bz2

FIX

Verify the integrity of downloaded binaries or archives using SHA-256 checksums or GPG signatures. Pin download URLs to specific versions and avoid fetching from unverified sources.

FP?

Likely FP if the download is from github.com or githubusercontent.com for a specific tagged release with documented checksums.

LOW

Download binary or archive from URL EXTDL_016

external-download L64

Detects downloading binary, archive, or installer files from remote URLs

curl -L -o thorsten.tar.bz2 "https://github.com/k2-fsa/sherpa-onnx/releases/download/tts-models/vits-piper-de_DE-thorsten-medium.tar.bz2

FIX

Verify the integrity of downloaded binaries or archives using SHA-256 checksums or GPG signatures. Pin download URLs to specific versions and avoid fetching from unverified sources.

FP?

Likely FP if the download is from github.com or githubusercontent.com for a specific tagged release with documented checksums.

LOW

Download binary or archive from URL EXTDL_016

external-download L68

Detects downloading binary, archive, or installer files from remote URLs

curl -L -o ryan.tar.bz2 "https://github.com/k2-fsa/sherpa-onnx/releases/download/tts-models/vits-piper-en_US-ryan-high.tar.bz2

FIX

Verify the integrity of downloaded binaries or archives using SHA-256 checksums or GPG signatures. Pin download URLs to specific versions and avoid fetching from unverified sources.

FP?

Likely FP if the download is from github.com or githubusercontent.com for a specific tagged release with documented checksums.

LOW

System package manager install EXTDL_011

external-download L75

Detects system-level package installation via brew, apt, yum, or dnf

apt install -y f

FIX

Pin system packages to specific versions where the package manager supports it. Document the exact packages required and prefer containerized environments to avoid system-wide changes.

FP?

Likely FP if the match is standard setup documentation listing well-known system packages (e.g., apt install git curl) that are prerequisites.