ClawAudit verdict

trtc-ai-customer-service

88
🟢 Trusted
Low risk — reviewed by ClawAudit, behavior matches stated purpose

Tencent TRTC-based AI customer service app builder using Flask and WebRTC; all API calls go to documented Tencent Cloud endpoints, credentials are user-configured TRTC keys used for stated purpose.

⚠ Flagged for review — coarse, uncorroborated signal, not a confirmed exploit. Review the config yourself before installing.

Automated static analysis — not a human review. ClawAudit flags capabilities, not confirmed intent, and can produce false positives. Disagree with this verdict? Use Dispute below.

0
security
90
transparency
90
maintenance

Findings (9)

Pattern match critical

<script> tag in markdown — potential code injection

references/frontend-guide.md · code · <script

Pattern match high

Pipe to python — executes piped content as Python code

SKILL.md · prose · downgraded · | Python

Pattern match high

Possible hardcoded credential

assets/start.sh · prose · downgraded · SECRET : " ; read -r INPUT_TSECRET </dev/tty 2>/dev/null || INPUT_TSECRET=

Pattern match high

Attempts to modify skills or system prompts

assets/start.sh · prose · downgraded · edit SystemPrompt

Pattern match medium

References sudo — requests elevated privileges

SKILL.md · prose · downgraded · sudo

Pattern match medium

Instructs covert action — may act without user awareness

assets/start.sh · prose · downgraded · silently

Pattern match medium

References agent configuration files

references/architecture.md · code · AgentConfig

Pattern match medium

HTTP request to bare IP address — common in malicious payloads

scripts/scaffold.py · prose · downgraded · https://0.0.0.0

Pattern match low

Base64 encoding/decoding

assets/TLSSigAPIv2.py · prose · downgraded · base64_encode

Permissions & capabilities

Requires 1 system binary.

Is this flag fair?

Check another skill Browse the registry Auditing your own skills or configs? Use the API