Back to skill
Skillv1.0.1
ClawScan security
Smallest Ai · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 16, 2026, 10:53 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's files, instructions, and requested environment (SMALLEST_API_KEY and curl) are consistent with a Smallest AI text-to-speech / speech-to-text integration; nothing in the package appears to request unrelated secrets or perform unexpected system access.
- Guidance
- This package appears to be a straightforward Smallest AI TTS/STT integration and only needs your Smallest API key and curl. Before installing: (1) verify the skill's origin (source/homepage is listed as unknown here) and prefer official provider repos if available; (2) be aware that any text and audio you send will be transmitted to smallest.ai (so avoid sending sensitive secrets or private audio you don't want shared with the provider); (3) supply a least-privilege API key (not a broad organizational admin key) and monitor usage/rate limits on the provider console; and (4) if you plan to merge the PLAN.md core changes into your system, review the proposed code edits carefully since they alter core TTS provider lists and env-key resolution.
Review Dimensions
- Purpose & Capability
- okName/description, scripts, and documentation all describe TTS/STT via Smallest AI and the only required credential is SMALLEST_API_KEY; required binary (curl) is appropriate for the provided curl-based scripts. No unrelated services, credentials, or binaries are requested.
- Instruction Scope
- okSKILL.md and included scripts instruct the agent to call smallest.ai endpoints, synthesize or transcribe audio, and write local media files. The runtime instructions do not ask the agent to read unrelated system files or other environment variables; all file I/O is local (media/tmp) and aligned with the stated functionality.
- Install Mechanism
- okThere is no remote install/download step; this is an instruction+scripts skill with bundled scripts and docs. No arbitrary external archives or shortener URLs are used in install steps, lowering install-time risk.
- Credentials
- okOnly SMALLEST_API_KEY is required (declared as primaryEnv). That single credential is appropriate and expected for a third-party TTS/STT provider; no other secrets or config paths are requested.
- Persistence & Privilege
- okThe skill is not marked always:true, does not request system-wide privileges, and does not modify other skills' configs. Agent autonomous invocation remains default but is not combined with excessive privileges here.