Skill Trust Decision

samantha

Name: samantha Trust Review Report
Item: samantha
Rating: 60
Author: ClawSafe

The Samantha skill is an emotional AI companion with legitimate device-integration features, but contains undeclared shell execution, undocumented LAN ping sweeps, and plain-text credential storage — all absent from SKILL.md, creating a doc-to-code mismatch that warrants suspicion.

Install decision first Source: Manual upload Scanned: Apr 4, 2026

Files 48

Artifacts 13

Violations 1

Findings 6

Most direct threat evidence

Why this conclusion was reached

2/4 dimensions flagged

Block

Declared vs actual capability

1 undeclared or violating capabilities were inferred.

Block

Hidden execution and egress

1 high-risk artifacts or egress signals were extracted.

Pass

Attack chain and severe findings

There is no explicit malicious chain in the report.

Review

Dependencies and supply chain hygiene

4 dependency or supply-chain issues need attention.

What drove the risk score up

Undeclared shell execution +15

scripts/discover_lan.py:19 uses subprocess.run(['ping', ...]) for LAN sweeps — shell:WRITE not declared in SKILL.md

Undocumented network probing +10

SSDP multicast (239.255.255.250) and ping sweeps of 192.168.31.x are in code but absent from SKILL.md

Plain-text credential storage +8

Xiaomi (mi_user/mi_pass) and Feishu (FEISHU_APP_ID/FEISHU_APP_SECRET) credentials stored in plain JSON with no encryption, not mentioned in docs

Unpinned critical dependencies +5

openclaw>=1.0.0 and miservice>=0.1.0 have no upper-bound pins; miservice handles auth credentials

Hardcoded Windows path +2

read_ppt.py:74 embeds a literal user desktop path from a one-time development run

Most important evidence

Medium Priv Escalation

Undeclared shell execution via subprocess ping sweep

scripts/discover_lan.py conditionally invokes subprocess.run(['ping', ...]) to sweep 192.168.31.x when SSDP discovery fails. This shell:WRITE capability is not declared anywhere in SKILL.md.

scripts/discover_lan.py:19

Declare shell access in SKILL.md allowed-tools section, or refactor to use a pure-Python ICMP library.

Medium Doc Mismatch

LAN device discovery and network probing undocumented

The skill performs SSDP multicast discovery (239.255.255.250:1900) and falls back to ping sweeps of 192.168.31.x. SKILL.md does not mention any network probing capabilities. The xiaoai-speaker SKILL.md documents the miservice integration but not the local network scan.

scripts/discover_lan.py:6

Document network:READ/WRITE capabilities in SKILL.md with explicit scope (LAN only, Xiaomi device discovery).

Medium Credential Theft

Plain-text credential storage for Xiaomi and Feishu

Xiaomi account credentials (mi_user, mi_pass) and Feishu app credentials (FEISHU_APP_ID, FEISHU_APP_SECRET) are stored in plain-text JSON files (data/xiaoai_config.json) and/or .env files. No encryption, no keyring integration. SKILL.md documents the config format but not the security implications.

skills/xiaoai-speaker/scripts/tts_bridge.py:30

Document that credentials are stored in plain text; recommend using OS keyring or secrets manager instead.

Medium Supply Chain

Critical auth dependency miservice has no version cap

requirements.txt pins miservice>=0.1.0 with no upper bound. miservice handles Xiaomi account authentication (username/password). An unconstrained dependency handling credentials poses supply-chain risk.

requirements.txt:15

Pin miservice to a known-good version (e.g., miservice==0.1.x) and verify the package source.

Low Supply Chain

openclaw framework dependency unpinned

requirements.txt specifies openclaw>=1.0.0 with no upper bound. This is the core framework; an unbounded dependency could pull a breaking or malicious update.

requirements.txt:1

Pin openclaw to a specific version range (e.g., openclaw>=1.0.0,<2.0.0).

Low Sensitive Access

Hardcoded Windows user path in read_ppt.py

read_ppt.py contains a literal hardcoded path 'D:\xuyan\桌面\Samantha\邓小闲koki-寻找Samantha.pptx'. This is a one-time development artifact but leaks a real username and desktop location into the codebase.

read_ppt.py:74

Remove or replace with a command-line argument or environment variable.

Declared capability vs actual capability

Filesystem Pass

Declared NONE

→

Inferred WRITE

scripts/memory.py:40 — sqlite3.connect() + write; scripts/personality.py:53 — json.dump() to disk

Shell Block

Declared NONE

→

Inferred WRITE

scripts/discover_lan.py:19 — subprocess.run(['ping', '-n', '1', '-w', '200', ip])

Network Pass

Declared NONE

→

Inferred WRITE

scripts/discover_lan.py:6 — UDP sendto SSDP multicast; skills/xiaoai-speaker/scripts/tts_bridge.py — Xiaomi API calls

Environment Pass

Declared NONE

→

Inferred READ

skills/xiaoai-speaker/scripts/tts_bridge.py:30 — os.getenv() reads MI_USER, MI_PASS; scripts/deploy.sh:49 — pip install reads env

Database Pass

Declared NONE

→

Inferred WRITE

scripts/memory.py:56-96 — CREATE TABLE + INSERT into relationship.db via sqlite3

Suspicious artifacts and egress

High IP Address

239.255.255.250

scripts/discover_lan.py:6

Medium External URL

https://docs.openclaw.ai

CONTRIBUTING.md:127

Medium External URL

https://www.sqlite.org/docs.html

CONTRIBUTING.md:129

Medium External URL

https://discord.com/invite/clawd

CONTRIBUTING.md:139

Medium External URL

https://twitter.com/charlie88931442

CONTRIBUTING.md:171

Medium External URL

https://img.youtube.com/vi/xeqP4j0-cfc/0.jpg

README.md:5

Medium External URL

https://youtube.com/shorts/xeqP4j0-cfc?si=H4sY9CP5JTBLD06h

README.md:5

Medium External URL

https://api.minimaxi.com/v1/t2a_v2

mm-voice-maker/scripts/mm_tts.py:26

Medium External URL

http://schemas.openxmlformats.org/presentationml/2006/main

read_ppt.py:25

Medium External URL

https://open.feishu.cn/open-apis

skills/mbti-coach/scripts/feishu_calendar.sh:12

Medium External URL

https://your-openclaw-gateway/webhook/shortcut

skills/shortcuts-awareness/SKILL.md:101

Info Email

[email protected]

CONTRIBUTING.md:170

Dependencies and supply chain

Package	Version	Source	Known vuln	Notes
miservice	`>=0.1.0`	pip	No	Handles Xiaomi auth credentials but has no upper-version cap
openclaw	`>=1.0.0`	pip	No	Core framework, unpinned with no upper bound
torch	`>=2.0.0`	pip	No	Unpinned — large ML dependency with broad attack surface
transformers	`>=4.35.0`	pip	No	Unpinned — HuggingFace package, broad supply-chain surface
requests	`>=2.31.0`	pip	No	Version pinned, well-maintained

File composition

48 files · 9892 lines

Markdown 21 files · 6386 linesPython 20 files · 2743 linesShell 2 files · 482 linesText 4 files · 161 linesYAML 1 files · 120 lines

Files of concern · 1

README.md Markdown · 732 lines

https://img.youtube.com/vi/xeqP4j0-cfc/0.jpg · https://youtube.com/shorts/xeqP4j0-cfc?si=H4sY9CP5JTBLD06h

Other files · smartwatch_integration.md · SKILL.md · SKILL.md · technical_limitations.md · architecture.md · README_merged.md +5

48 files · 309.1 KB · 9892 lines

Markdown 21f · 6386LPython 20f · 2743LShell 2f · 482LText 4f · 161LYAML 1f · 120L

├─ ▾ 📁 assets

│ └─ ▾ 📁 personality_seeds

│ └─ 📝 README.md Markdown 132L · 4.5 KB

├─ ▾ 📁 examples

│ └─ 🐍 basic_usage.py Python 167L · 5.6 KB

├─ ▾ 📁 mm-music-maker

│ └─ ▾ 📁 scripts

│ ├─ 🐍 generate_music.py Python 83L · 2.2 KB

│ ├─ 🐍 lobster_y2k.py Python 127L · 3.1 KB

│ ├─ 📄 lyrics_lobster.txt Text 56L · 983 B

│ ├─ 📄 lyrics_teachers.txt Text 62L · 1.1 KB

│ └─ 🐍 teachers_song.py Python 131L · 3.3 KB

├─ ▾ 📁 mm-voice-maker

│ └─ ▾ 📁 scripts

│ └─ 🐍 mm_tts.py Python 106L · 2.9 KB

├─ ▾ 📁 references

│ ├─ 📝 architecture.md Markdown 397L · 10.9 KB

│ ├─ 📝 implementation_roadmap.md Markdown 397L · 9.2 KB

│ ├─ 📝 personality_implementation.md Markdown 162L · 5.1 KB

│ ├─ 📝 quick_implementation_guide.md Markdown 352L · 9.2 KB

│ ├─ 📝 smartwatch_integration.md Markdown 837L · 20.8 KB

│ └─ 📝 technical_limitations.md Markdown 482L · 12.9 KB

├─ ▾ 📁 scripts

│ ├─ 🔧 deploy.sh Shell 291L · 6.7 KB

│ ├─ 🐍 discover_lan.py Python 46L · 1.2 KB

│ ├─ 🐍 emotional_intelligence.py Python 255L · 9.6 KB

│ ├─ 🐍 memory.py Python 337L · 10.7 KB

│ ├─ 🐍 personality.py Python 242L · 8.7 KB

│ ├─ 🐍 relationship_tracker.py Python 163L · 6.2 KB

│ ├─ 🐍 samantha.py Python 171L · 5.4 KB

│ ├─ 🐍 setup.py Python 81L · 1.8 KB

│ ├─ 🐍 test_emotion.py Python 26L · 832 B

│ └─ 🐍 test_xiaoai.py Python 60L · 1.5 KB

├─ ▾ 📁 skills

│ ├─ ▾ 📁 location-awareness

│ │ └─ 📝 SKILL.md Markdown 169L · 3.4 KB

│ ├─ ▾ 📁 mbti-coach

│ │ ├─ ▾ 📁 scripts

│ │ │ ├─ 🔧 feishu_calendar.sh Shell 191L · 6.3 KB

│ │ │ └─ 🐍 radar_chart.py Python 174L · 6.9 KB

│ │ ├─ 📝 README.md Markdown 172L · 5.7 KB

│ │ └─ 📝 SKILL.md Markdown 337L · 14.9 KB

│ ├─ ▾ 📁 mbti-fortune

│ │ └─ 📝 SKILL.md Markdown 135L · 5.1 KB

│ ├─ ▾ 📁 shortcuts-awareness

│ │ └─ 📝 SKILL.md Markdown 225L · 4.7 KB

│ ├─ ▾ 📁 smart-devices

│ │ └─ 📝 SKILL.md Markdown 203L · 4.4 KB

│ └─ ▾ 📁 xiaoai-speaker

│ ├─ ▾ 📁 scripts

│ │ ├─ 🐍 discover_devices.py Python 57L · 1.5 KB

│ │ ├─ 🐍 speak.py Python 88L · 2.4 KB

│ │ ├─ 🐍 tts_bridge.py Python 194L · 7.1 KB

│ │ └─ 🐍 voice_assistant.py Python 174L · 5.5 KB

│ └─ 📝 SKILL.md Markdown 168L · 3.5 KB

├─ 📝 CONTRIBUTING.md Markdown 179L · 5.2 KB

├─ 📝 PROJECT_STRUCTURE.md Markdown 260L · 6.7 KB

├─ 📝 QUICKSTART.md Markdown 222L · 5.3 KB

├─ 📝 README.md Markdown 732L · 35.1 KB

├─ 📝 README_merged.md Markdown 224L · 10.8 KB

├─ 📝 SKILL.md Markdown 360L · 14.3 KB

├─ 📝 VERSION.md Markdown 241L · 6.5 KB

├─ 📋 docker-compose.yml YAML 120L · 2.9 KB

├─ 📄 ppt_detailed.txt Text 1L · 3.1 KB

├─ 🐍 read_ppt.py Python 61L · 2.6 KB

└─ 📄 requirements.txt Text 42L · 625 B

Security positives

No evidence of data exfiltration — all network calls are to legitimate third-party APIs (Xiaomi, Feishu, MiniMax) for declared features

No base64-encoded payloads, eval(), or anti-analysis obfuscation found

No hardcoded external IP addresses for data exfiltration

No prompt injection, jailbreak, or hidden instructions in documentation

No evidence of reverse shell, C2 communication, or credential harvesting beyond the legitimate Xiaomi/Feishu integrations

Core skill functionality (personality, memory, emotional intelligence, relationship tracking) is entirely local and benign