ClawHub

Ressemble TTS e STT

PassAudited by ClawScan on May 1, 2026.

Overview

This skill appears to do what it claims—send text or audio to Resemble AI for speech generation/transcription—but users should notice the external API and API-key requirements.

This appears safe for its stated TTS/STT purpose. Before installing, make sure you are comfortable sending the selected text/audio to Resemble AI, provide the API key only in a controlled environment, and note that curl, jq, and base64 are required even though the registry metadata does not list them.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Low
#ASI02: Tool Misuse and Exploitation
What this means

Text submitted for speech generation and audio submitted for transcription are sent to Resemble AI.

Why it was flagged

The skill clearly discloses that it contacts Resemble AI over HTTP; this is expected for TTS/STT, but user text and audio may leave the local environment.

Skill content
It uses direct HTTP calls to Resemble's production endpoints and supports asynchronous transcription polling.
Recommendation

Use this only with audio/text you are comfortable sending to Resemble AI, and confirm the provider's data-handling terms for sensitive content.

Low
#ASI03: Identity and Privilege Abuse
What this means

Anyone or any agent process with access to the environment variable may be able to make Resemble API calls under the user's account.

Why it was flagged

The skill requires a Resemble API key for provider access. This is purpose-aligned, but it grants delegated access to the user's Resemble account.

Skill content
env: ["RESEMBLE_API_KEY"]
    primaryEnv: "RESEMBLE_API_KEY"
Recommendation

Use a dedicated/limited API key if available, avoid exposing the environment variable in logs, and rotate the key if it may have been shared.

Info
#ASI04: Agentic Supply Chain Vulnerabilities
What this means

Installation or invocation may fail unless curl, jq, base64, and RESEMBLE_API_KEY are available, even though the registry summary says no requirements.

Why it was flagged

The included skill file declares required binaries and an API key, while the registry-level requirements list no required binaries or environment variables. This is an under-declared setup requirement rather than evidence of hidden behavior.

Skill content
requires:
      bins: ["curl", "jq", "base64"]
      env: ["RESEMBLE_API_KEY"]
Recommendation

Before installing, verify that the declared command-line tools are present and that the API key requirement is acceptable.