Back to skill
Skillv2.5.9
ClawScan security
Mimo Tts Asr 255 Free · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 23, 2026, 11:22 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code and instructions match its stated TTS/ASR purpose: it requires service API keys and sends audio to Xiaomi MiMo endpoints; nothing in the files suggests unrelated or excessive access.
- Guidance
- This skill appears to do what it claims: it will read audio/reference files you provide and send them to api.xiaomimimo.com for TTS/ASR using MIMO_API_KEY or MIMO_ASR_KEY. Before installing, confirm you trust the MiMo service and are comfortable sending audio (including any reference audio used for voice cloning). Note the registry metadata omitted required env vars even though SKILL.md and the scripts expect them — be sure to set the API keys only with appropriate, limited permissions and review MiMo's privacy/pricing pages. If you prefer not to upload data, use the open-source local deployment paths referenced in the README instead.
Review Dimensions
- Purpose & Capability
- noteThe skill is a TTS/ASR integration and its scripts call MiMo API endpoints; however the registry metadata lists no required environment variables while SKILL.md and the scripts clearly expect MIMO_API_KEY and/or MIMO_ASR_KEY. Functionality requested (API keys, optional local model usage) is appropriate for the stated purpose, but the metadata omission is inconsistent.
- Instruction Scope
- okSKILL.md instructs running the included Python scripts to synthesize or transcribe audio, setting API keys or using local open-source models. The scripts only read provided audio/reference files and environment variables relevant to the service; they do not attempt to read unrelated system files or other credentials.
- Install Mechanism
- okNo install spec is provided and the skill is instruction/code-only. The included Python scripts do network calls at runtime but nothing is downloaded or extracted during install.
- Credentials
- noteThe scripts require MIMO_API_KEY and/or MIMO_ASR_KEY (or allow --api-key overrides) which are proportionate to a cloud TTS/ASR integration. The inconsistency is that the registry 'requires.env' field is empty while the runtime instructions and code expect these keys — users should be aware the skill will need those secrets to call the service.
- Persistence & Privilege
- okThe skill does not request always:true, does not modify other skills, and does not request elevated persistence. It runs only when invoked.