deepclaw-voice

[Skill Scanner] Installation of third-party script detected No direct indicators of malicious code or backdoors in the provided setup instructions. The dominant issues are operational security risks: plaintext credential storage in ~/.env, exposing local services via ngrok without access controls, and guidance that encourages extracting local tokens into a public-facing configuration. These behaviors materially increase the chance of credential compromise and misuse (Twilio billing abuse, Deepgram usage, or unauthorized access to the OpenClaw gateway). Treat this project as functionally legitimate but security-sensitive: apply the mitigations above before using in production or sharing ngrok endpoints; restrict, rotate, and properly store credentials; and validate inbound webhook authenticity. LLM verification: This SKILL.md is functionally consistent with its stated purpose: it needs Twilio, Deepgram, and an OpenClaw gateway token to operate. I did not find evidence of intentionally malicious code or obfuscation in the provided text. The primary security concerns are operational and configuration-based: instructions encourage storing plaintext credentials in a .env in the repository directory and exposing a local LLM gateway through ngrok, which increases risk of accidental credential exposure or unin